On May 11, 2026, a sophisticated supply chain attack dubbed Mini Shai-Hulud compromised 84 npm package artifacts across 42 @tanstack/* packages, plus secondary victims including @mistralai/* and UiPath packages. The attack chained three vulnerabilities: a 'Pwn Request' via pull_request_target misconfiguration, GitHub Actions cache poisoning, and OIDC token extraction from runner memory. This is the first documented npm supply chain attack producing valid SLSA Build Level 3 provenance attestations, because the attacker hijacked the legitimate build pipeline itself. The payload (router_init.js) performed extensive credential harvesting across AWS, GCP, Kubernetes, HashiCorp Vault, GitHub, and even Claude Code session history files, exfiltrating data via the Session P2P network. A dangerous dead-man's switch destroys the user's home directory if stolen tokens are revoked before the malware is removed. Remediation requires disabling persistence mechanisms before rotating credentials, auditing GitHub Actions OIDC configurations, blocking *.getsession.org at DNS level, and not relying solely on SLSA provenance for supply chain trust.
Table of contents
TanStack npm packages compromised: inside the Mini Shai-Hulud supply chain attackWave four: campaign contextWhat got hitHow the attack worked: three chained vulnerabilitiesInside the payload: router_init.jsThe SLSA provenance problemWhat to do right nowSnyk's coverageSummary: indicators of compromiseStart securing your Python appsSort: