TanStack Mini Shai-Hulud: 84 npm Versions, CVE-2026-45321

Between 19:20 and 19:26 UTC on May 11, 2026, attackers published 84 malicious versions across 42 @tanstack/* npm packages using TanStack's own GitHub Actions release pipeline, not stolen npm tokens. Security researchers track the worm as Mini Shai-Hulud (CVE-2026-45321, CVSS 9.6). Within roughly 48 hours, OpenAI disclosed that two corporate devices were impacted and that the incident reached app signing keys for Windows, macOS, iOS, and Android.

If your monorepo uses TanStack Router or TanStack Start, this is the highest-urgency supply-chain story in Grok's May 30 trend list.

What happened in the TanStack compromise?

TanStack's official postmortem describes a six-minute publish window where malicious code rode the legitimate OIDC-backed release workflow in the TanStack/router repository. The attacker chain combined:

1. pull_request_target "Pwn Request" patterns
2. GitHub Actions cache poisoning across the fork-to-base trust boundary
3. Runtime memory extraction of an OIDC token from the Actions runner

No npm publish tokens were stolen. The pipeline itself published malware with valid identity.

Snyk documented the first case where an npm worm shipped valid SLSA Build Level 3 provenance attestations for malicious artifacts. Sigstore records were "true" in the narrow sense: the bad packages really were built by the compromised workflow on refs/heads/main.

Which TanStack packages were affected?

Affected (42 packages, 84 versions): primarily @tanstack/router* and @tanstack/start* families, including @tanstack/react-router (12M+ weekly downloads per security vendors).

Not affected per TanStack: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, @tanstack/store, and most other TanStack libraries.

Example safe upgrade path from community IOC tables:

See GHSA-g7cv-rxg3-hmpx and TanStack issue #7383 for the full matrix.

Why the worm spread beyond TanStack

Mini Shai-Hulud is attributed to TeamPCP, the same actor tied to earlier LiteLLM and Telnyx compromises. The May 11 wave was one branch of a campaign touching 170+ packages across npm and PyPI, including @mistralai/mistralai, large parts of @uipath/*, @opensearch-project/opensearch versions 3.5.3–3.8.0, and PyPI mistralai 2.4.6 / guardrails-ai 0.10.1 from an April 29 wave.

Propagation reused stolen OIDC identities to republish with the same injection pattern, which is why Fortune 500 CI/CD shops saw secondary victims within hours.

OpenAI impact: why developers should care about signing keys

OpenAI's disclosure that TanStack fallout touched platform signing keys raises the stakes beyond "rotate npm tokens." A compromised release laptop or CI runner in a consumer-app pipeline can become a supply-chain root for desktop and mobile updates.

Pair this incident with TrapDoor poisoning .cursorrules and CLAUDE.md and the earlier Bitwarden CLI Shai-Hulud wave. The pattern is consistent: trust CI, trust AI config, trust attestations only as far as workflow integrity holds.

Developer mitigation checklist

Pin and audit lockfiles for the exact bad @tanstack/router and @tanstack/start versions.

Rotate everything reachable from machines that installed bad versions: cloud IAM, GitHub PATs, signing certificates, mobile provisioning profiles if your org ships apps.

Disable dangerous GitHub Actions patterns: untrusted pull_request_target with write scopes, poisonable caches, and unreviewed workflow changes from forks.

Do not trust SLSA badges alone when the workflow that attests builds is the compromise vector.

Scan org-wide for Mini Shai-Hulud IOC strings and secondary worm packages from the same campaign window.

Key Takeaways

• May 11, 2026: 84 malicious npm versions across 42 @tanstack/* packages in ~6 minutes via compromised GitHub Actions (not stolen npm creds)
• CVE-2026-45321 rated CVSS 9.6; first known SLSA L3-attested malicious npm worm case widely documented
• @tanstack/query and table lines were not in scope; router/start families were
• OpenAI reported two impacted corporate devices and signing-key exposure within ~48 hours
• For developers: rotate broad secrets, fix workflow trust boundaries, treat provenance as necessary not sufficient
• What to watch: NHS Digital CC-4781 guidance, expanded TeamPCP package list, enterprise bans on risky Actions patterns

Frequently asked questions

What is the TanStack Mini Shai-Hulud attack?

It is a May 11, 2026 supply chain compromise where 84 malicious versions across 42 @tanstack npm packages were published through TanStack's legitimate GitHub Actions OIDC release pipeline, tracked as CVE-2026-45321.

Is TanStack Query safe?

TanStack stated @tanstack/query, table, form, virtual, store, and most non-router families were not affected. Only router/start-related packages were in the malicious publish set. Current published versions are described as safe after deprecation and npm removal of bad releases.

What is CVE-2026-45321?

CVE-2026-45321 is the identifier for the Mini Shai-Hulud npm/PyPI worm campaign with CVSS 9.6 in vendor advisories, including the TanStack May 11 wave.

Did OpenAI get hacked via TanStack?

OpenAI disclosed that two corporate devices were impacted by the broader supply chain fallout and that the incident reached app signing keys for major platforms. Treat that as a severity signal for any team running similar CI plus mobile release pipelines.

How is this different from the Bitwarden Shai-Hulud attack?

Both are GitHub Actions supply-chain worms, but TanStack's case added malicious SLSA L3 attestations on npm and hit one of the most downloaded React router stacks. Mitigation overlaps (rotate secrets, harden Actions) but scope checks differ by package namespace.