Mini Shai-Hulud: The Most Sophisticated NPM Supply Chain Attack of 2026

On May 11, 2026, the TanStack namespace was hit by a "Mini Shai-Hulud" supply chain attack. Unlike typical attacks, this did not involve stolen credentials; instead, the threat group TeamPCP hijacked the legitimate GitHub Actions release pipeline.

This video covers the technical details of the OIDC token extraction, the "Dead Man's Switch" that triggers a rm -rf / upon credential revocation, and the mandatory remediation order you must follow to save your data. We also discuss how to harden your workflow using release-age cooldowns and OIDC pinning.

Use Snyk for free to find and fix security issues in your applications today! https://snyk.co/ugLYn

✍️ Resources ✍️

• https://snyk.co/tanstack-npm-attack
• https://security.snyk.io/TanStack-npm-Supply-Chain-Compromise-May-2026

⏲️ Chapters ⏲️

00:00 TanStack npm Packages Compromise

00:59 What Happened

02:41 Are You Exposed?

03:25 CRITICAL: The Remediation Order

04:33 Credential Rotation Priority List

05:35 Prevent This From Happening Again

07:24 Summary & Final Checklist

⚒️ About Snyk ⚒️

Snyk helps you find and fix vulnerabilities in your code, open-source dependencies, containers, infrastructure-as-code, software pipelines, IDEs, and more! Move fast, stay secure.

Learn more about Snyk: https://snyk.co/ugLYl

📱 Connect with Us 📱

🖥️ Website: https://snyk.co/ugLYl
🐦 X: http://twitter.com/snyksec
💼 LinkedIn: https://www.linkedin.com/company/snyk
💬 Discord: https://discord.gg/devsecops-community-918181751526948884

• ️ Subscribe: https://www.youtube.com/c/SnykSec
• 🔥 We're hiring! Check our open roles: https://snyk.co/ugLYp

🔗 Hashtags 🔗
#shaihulud #tanstack #cybersecurity #npm