## Threat Actor 'mini-shai-hulud' Compromises Multiple Tanstack NPM Packages in Supply Chain Attack
Security researchers at Wiz.io have identified a new wave of supply chain attacks targeting the Tanstack ecosystem, with the threat actor tracked as "mini-shai-hulud" injecting malicious code into multiple NPM packages. The attack follows a pattern consistent with sophisticated open-source supply chain intrusions, where legitimate packages were compromised to distribute malware to downstream developers and applications.

The compromised packages, which appear to be associated with Tanstack's popular JavaScript and TypeScript libraries, were modified to include malicious payloads designed to exfiltrate sensitive data or establish unauthorized access channels. Researchers noted that the attack leveraged trusted package maintainer accounts and version publishing mechanisms, making detection challenging for developers relying on standard security scanning practices. The timing and execution suggest careful reconnaissance of the open-source ecosystem's dependency chains.

This incident highlights the ongoing vulnerability of the NPM registry to typosquatting, dependency confusion, and account takeover attacks. Organizations using Tanstack packages are urged to audit their dependency trees, verify package integrity through checksums, implement lockfile pinning, and monitor for unexpected network communications or environment variable access in their build pipelines. The Wiz research team continues to track mini-shai-hulud's activities, warning that the actor may expand targeting to additional widely-used open-source projects.
---
- **Source**: Mastodon:mastodon.social:#infosec
- **Sector**: The Lab
- **Tags**: supply-chain-attack, npm, tanstack, malware, open-source-security
- **Credibility**: unverified
- **Published**: 2026-05-12 21:18:23
- **ID**: 82364
- **URL**: https://whisperx.ai/en/intel/82364