<![CDATA[#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):#SoftwareSupplyChainSecurity👇]]>: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):

👇

Link Preview Image
TanStack npm Packages Hit by Mini Shai-Hulud | Snyk

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stolen, and what you need to do right now.

favicon

Snyk (snyk.io)

]]>https://board.circlewithadot.net/topic/10f91082-bc4a-4841-a271-dec7bbc24a3f/npm-tanstack-npm-packages-84-in-total-compromised-in-a-supply-chain-hack-utilising-a-malicious-payload-designed-to-destroy-files-on-developer-machines-if-a-stolen-github-token-is-revoked-dead-man-s-swithch-softwaresupplychainsecurityRSS for NodeFri, 15 May 2026 07:07:23 GMTTue, 12 May 2026 07:02:16 GMT60