On May 11, 2026, a novel supply chain attack infected 84 npm packages across 42 TanStack libraries by exploiting GitHub Actions workflows and extracting OIDC tokens from build runners. This unprecedented incident allowed attackers to publish malicious code with cryptographically valid SLSA Build Level 3 provenance, deceiving downstream consumers and escalating risk to millions of developers and organizations relying on these packages worldwide.
- Malicious artifacts carried cryptographically valid SLSA Build Level 3 proofs.
- Attack exploited GitHub Actions, token exposure, and cache poisoning in CI pipelines.
- Compromise affects millions of weekly npm downloads, including AI and automation tools.
Threat signal
The attack is distinguished by its use of a sophisticated worm, dubbed Mini Shai Hulud, which not only manipulates the release pipeline but also produces valid SLSA (Supply-chain Levels for Software Artifacts) Build Level 3 attestations. This cryptographic certificate typically assures consumers that a package was built in a trusted environment. The deception here lies in the fact that although the build process was legitimate, the source code being built was maliciously altered through attacker control of the build runner mid-execution.
This method represents a new class of supply chain threat that effectively bypasses current provenance verification methods, challenging the fundamental assumption that artifacts carrying SLSA attestations are safe to consume. Additionally, the rapid spread of these compromised packages across thousands of repos and integrations highlights the critical risk in automated dependency ecosystems, especially those supporting AI and cloud-native software development.
Operator exposure
Operators must recognize that installation or use of any affected TanStack packages on or around May 11, 2026, potentially compromises their environment’s secrets and credentials. The attacker obtained and abused OpenID Connect (OIDC) tokens from GitHub Actions runners’ memory, granting access to otherwise secured release identities. This exposure enables widespread credential theft and subsequent lateral movement within CI/CD infrastructure and cloud accounts linked to these tokens.
The scenario serves as a cautionary example of identity and token management risks in automated build environments. Organizations that do not tightly control and audit ephemeral credentials risk systemic exposure from a single compromised step in their software supply chain. Immediate remediation includes rotating all secrets accessible to impacted build hosts and reviewing CI workflow configurations to limit token scope and lifetime.
What teams should watch
Security and development teams should proactively audit their dependency trees for impacted versions of @tanstack/* npm packages and any downstream consumer packages noted by trusted vulnerability databases. Confirming the absence of these compromised builds is critical, given the volume of downloads and the broad usage of these components in AI frameworks and cloud automation platforms.
Moreover, teams must enhance monitoring for anomalous GitHub Actions activity, especially unusual pull requests and workflow runs that might indicate attempted pipeline hijacking. Strengthening CI/CD identity lifecycle management with principles of least privilege, ephemeral tokens, and robust attestation verification beyond mere presence of SLSA certificates will help mitigate evolving supply chain attack techniques.