Loading...
Loading...
Maintainers of TanStack warned on May 11, 2026 that several npm “latest” releases may be compromised amid an active investigation into a self‑spreading supply‑chain attack in the npm ecosystem. Security researchers at Step Security called the campaign “Mini‑Shai‑Hulud,” describing techniques that allow malicious packages to propagate across projects. Because TanStack provides widely used front‑end libraries (including routers), tainted releases could introduce backdoors or exfiltration paths into many web applications. Developers are advised to audit dependencies, pin or lock known good versions, follow maintainer guidance, and monitor for indicators of compromise while the investigation continues.
TanStack supplies widely used front-end libraries, so compromised npm releases can introduce backdoors or data exfiltration paths into many web applications. Tech teams must treat dependency integrity as a critical security control during active supply-chain incidents.
Dossier last updated: 2026-05-14 07:33:47
OpenAI said it found no evidence of user data, production systems, intellectual property, or software tampering after a supply-chain attack on the open-source TanStack npm library. The company reported two employee devices in its office environment were impacted and that a small number of credentials from a related code repository were stolen. OpenAI isolated affected systems, temporarily restricted code deployment to limit impact, and is rotating code-signing certificates — an action that will require macOS users to update apps. The response aims to contain the incident and protect users and development workflows while further investigation continues.
OpenAI said on May 14 that after detecting the “Mini Shai-Hulud” supply-chain attack targeting popular TanStack npm packages, its security team quickly investigated internal systems and found no evidence of user data leakage or unauthorized access. OpenAI added that core services were not directly compromised, but as a precaution it requires macOS users of its official apps to update their software by June 12, 2026 to secure local environments. The statement follows broader industry alerts about malicious npm packages affecting many projects and underscores the continuing risk of open-source supply-chain attacks to developers and platform operators.
A developer released safe-install, an npm package that hardens Node.js installs by disabling install/build scripts by default and allowing a curated list of trusted dependencies to run such scripts. Inspired by Bun’s trusted dependencies and pnpm’s blockExoticSubdeps, safe-install also blocks unusual or 'exotic' sub-dependencies to reduce attack surface from npm supply-chain compromises. The tool fills gaps the author says npm hasn’t addressed yet, giving projects a way to explicitly permit only known packages to execute potentially dangerous install-time code. This matters because recent supply-chain attacks have abused install scripts and obscure nested dependencies to execute malicious payloads during package installation.
Maintainers of TanStack alerted the community on May 11, 2026 that several npm "latest" releases may be compromised after an active investigation linked to a reported self‑spreading supply‑chain attack in the npm ecosystem. The issue references Step Security’s analysis titled “Mini‑Shai‑Hulud is back,” which describes a malicious campaign targeting npm packages to propagate across projects. This matters because TanStack libraries (popular front‑end tools such as router and related packages) are widely used; compromised releases could infect downstream applications, expose users to backdoors or exfiltration, and erode trust in the JavaScript supply chain. Developers should audit dependencies, pin safe versions, and follow maintainer guidance while the investigation continues.
Maintainers of TanStack alerted users that several npm 'latest' releases may be compromised after a security incident reported May 11, 2026. The repository issue links to an investigation by Step Security detailing a self-spreading supply-chain attack (nicknamed 'mini-shai-hulud') impacting the npm ecosystem; TanStack maintainers are actively investigating and sharing findings. This matters because TanStack projects (popular JS libraries such as router packages) are widely used in web applications, so malicious npm releases could propagate malware or backdoors across many downstream projects and production services. Developers and security teams should audit dependencies, lock versions, and monitor for supply-chain indicators of compromise.