Hake Hardware
StoreVideosAbout
Vigyata.AI
Is this your channel?

Mini Shai-Hulud Worm Hits TanStack npm With Dead-Man's Switch

1.5K views· 98 likes· 2:55· May 12, 2026
ShareTwitterFacebookLinkedInInstagram

🛍️ Products Mentioned (4)

StepSecurity analysis

Available on stepsecurity

Socket coverage

Available on socket

Carlini's GitHub issue

Available on github

Tanstack Product

Available on tanstack

42 TanStack npm packages got hijacked on May 11, 2026, and the malware they shipped is built to wipe your home directory the second you try to revoke the stolen GitHub token. The attack chain stacked three GitHub Actions weaknesses, and per TanStack's postmortem each was necessary. A fork PR using pull_request_target poisoned the shared dependency cache with a tampered pnpm store. When a legitimate PR got merged the next day, the release workflow pulled that cache, scanned the runner process's memory, and lifted the OIDC token that grants TanStack's trusted-publisher access to npm — publishing straight to the @tanstack scope. Because the publish came from the real workflow with the real token, the malicious packages carry valid SLSA Build Level 3 provenance attestations. Per StepSecurity, this is the first documented npm worm to ship validly-attested malicious packages. Researcher Nicholas Carlini flagged the compromise about twenty minutes after publish. The payload also installs a gh-token-monitor service (systemd on Linux, LaunchAgent on macOS) that polls GitHub's user API every sixty seconds; if it gets a 401, it runs rm -rf on the home directory. Researchers are calling this self-propagating worm family Mini Shai-Hulud, linked to a group calling itself TeamPCP. TanStack's postmortem advises that anyone who installed an affected version on May 11 should treat that host as potentially compromised — rotate credentials before revoking the GitHub token. Sources: TanStack postmortem: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem StepSecurity analysis: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem Socket coverage: https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack Carlini's GitHub issue: https://github.com/TanStack/router/issues/7383 More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #npm #supplychainattack

Watch on YouTube

🎬 More from Hake Hardware

New VS Code Zero-Day Steals GitHub Tokens in One Click

New VS Code Zero-Day Steals GitHub Tokens in One Click

1.5K views

Microsoft Backs Down on Threats Against Zero-Day Researcher

Microsoft Backs Down on Threats Against Zero-Day Researcher

6.4K views

CIFSwitch Linux Kernel Bug: Any Logged-In User Gets Root

CIFSwitch Linux Kernel Bug: Any Logged-In User Gets Root

2.3K views

BusPatrol Wants 40,000 School Buses to Be Police Plate Trackers

BusPatrol Wants 40,000 School Buses to Be Police Plate Trackers

4.2K views

How the Mirai Trio Avoided Prison (Part 6 of 6)

How the Mirai Trio Avoided Prison (Part 6 of 6)

1.7K views

How the FBI Tracked Down the Mirai Trio (Part 5 of 6)

How the FBI Tracked Down the Mirai Trio (Part 5 of 6)

1.6K views