Several npm latest releases are compromised · Issue #7383 · TanStack/router

This Week In Security: Android Exposes ADB, ShinyHunters Get Paid, Robot Dogs, And More

Hackaday Mike Kershaw May 18, 2026

Google has patched an Android ADB bug in the May security patch set. If you have a Pixel phone you should already have the patches, and most other major manufacturers should be close behind. Unfort…

0 inbound links article en Hackaday ColumnsSecurity Hacks adbandroidbenn jordancopyfailcurlEximfccmalwaremicrosoftmythossecurityspamThis Week in Computer Securitytrojantwisunitree

Syntax - Tasty Web Development Treats

feed.syntax.fm Jun 25, 2010

0 inbound links en

TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages - StepSecurity

javascriptweekly.com Ashish Kurmi View LinkedIn May May 11, 2026

The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.

0 inbound links website en

Postmortem: TanStack npm supply-chain compromise | TanStack Blog

javascriptweekly.com

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.

0 inbound links

TanStack npm Packages Hit by Mini Shai-Hulud | Snyk

Snyk May 11, 2026

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stolen, and what you need to do right now.

8 inbound links article en developersecuritydevopstecharticlesnyk-open-sourcesnyk-security-intelci-cdscmsbomsupply-chain-securitydevsecopsopen-source-securityvulnerability-insights

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

The Hacker News The Hacker News May 12, 2026

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm packages.

1 inbound link article en Article

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

The Hacker News The Hacker News May 12, 2026

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm packages.

4 inbound links article en Article

TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages - StepSecurity

stepsecurity.io Ashish Kurmi View LinkedIn May May 11, 2026

The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.

19 inbound links website en

Techmeme

Techmeme May 12, 2026

Top news and commentary for technology's leaders, from all around the web.

0 inbound links en

Postmortem: TanStack npm supply-chain compromise | TanStack Blog

tanstack.com

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.

35 inbound links