The attack used exactly those protection mechanisms that the developers trusted most.
Mini Shai-Hulud hit the supply chain again. But if the first wave of attacks affected SAP packages, now the malware scheme has grown to hundreds of infected versions and began to hit the places where the most valuable developer access is usually stored.
The new wave affected npm and PyPIPyPI, went through popular development tools and showed an unpleasant detail: even 2FA, a trusted publication through GitHub Actions and a correct record of the origin of the assembly do not guarantee that the published package is safe.
According to Aikido, NPm found 373 malicious versions in 169 packets. Wiz.io connects The attack with the TeamPC group writes that the operation began on May 11, 2026 and affected several namespaces at once. Endor Labs separately points to more than 160 compromised versions and emphasizes that there were 84 @tanstack packages, including @tanstack/react-router with about 12 million downloads per week.
In addition to TanStack, the reports include packages @uipath, @mistralai, @squawk, @tallyui, @beproduct, @draftlab, @draftauth, @taskflow-corp and @tolka, as well as separate packages without a space of names. Wiz.io also reported on the malicious versions of the PyPI-packages guardrails-ai 0.10.1 and mistralai 2.4.6. Later, the company clarified that in the load for @uipath and @mistralai found an error that caused the malicious code in these cases did not work.
The most notable part of the attack is related to TanStack. According to Wiz.io and Endor Labs, the attackers used the Fork repository TanStack/router and a separate cell outside the main branch with the hash of the 79ac49eedf740b04b04b04b04bC463cfe5885c. Although the company was not included in the main history of the project, GitHub allowed it to be addressed directly. So the attackers added the dependence of @tanstack/setup with a script for running Bun and the tanstack_runner.js file.
The compromised packages also got a osteocated router_init.js file of about 2.3 MB. When installing, the npm could perform a Git-general script, after which the malicious load was started on the developer's machine or CI-runner. The team’s completion with an error looked less suspicious, as the addiction was optional.
A separate risk is associated with trusted publication through GitHub Actions. The attackers could get a temporary NPm token through OIDC and publish malicious versions without theft of long-lived npm keys. Therefore, the presence of a record of the origin of the assembly showed where the package was assembled, but did not prove that the assembly was allowed and safe.
The Mini Shai-Hulud load searched for GitHub- and ppm tokens, the secrets of GitHub Actions, cloud keys AWS, GCP and Azure, Kubernetes tokens, HashiCorp Vault data, SSH keys and environment variables. On the machines of the developers, malicious code could be fixed through files in .claude and .vscode. Wiz.io also describes the demon g-token-monitor for macOS and Linux related to the GitHub-token verification.
Several channels were used to output data, including the git-tanstack.com domain, the Session network via filev2.getges.org and GitHub-repository-repositories with the theme "Dune". In Python, Wiz.io describes the download transformers.pyz with git-tanstack.com and data theft, including 1Password and Bitwarden password stores.
Aikido, Wiz.io and Endor Labs agree: Mini Shai-Hulud no longer just steals secrets, but tries to turn developers’ access and CI/CD into a new distribution channel.
Security teams should check lock-files, cesci, CI magazines, routerr_init.js, tanstack_runner.js, setup.mjs, @tanstack/setup and access to filev2.getges.org. When signs of launching the infected version, you need to change not only npm-tokens, but also GitHub-access, cloud keys, Kubernetes- and Vault secrets, as well as check your own packages for unexpected publications after May 11, 2026.
Mini Shai-Hulud hit the supply chain again. But if the first wave of attacks affected SAP packages, now the malware scheme has grown to hundreds of infected versions and began to hit the places where the most valuable developer access is usually stored.
The new wave affected npm and PyPIPyPI, went through popular development tools and showed an unpleasant detail: even 2FA, a trusted publication through GitHub Actions and a correct record of the origin of the assembly do not guarantee that the published package is safe.
According to Aikido, NPm found 373 malicious versions in 169 packets. Wiz.io connects The attack with the TeamPC group writes that the operation began on May 11, 2026 and affected several namespaces at once. Endor Labs separately points to more than 160 compromised versions and emphasizes that there were 84 @tanstack packages, including @tanstack/react-router with about 12 million downloads per week.
In addition to TanStack, the reports include packages @uipath, @mistralai, @squawk, @tallyui, @beproduct, @draftlab, @draftauth, @taskflow-corp and @tolka, as well as separate packages without a space of names. Wiz.io also reported on the malicious versions of the PyPI-packages guardrails-ai 0.10.1 and mistralai 2.4.6. Later, the company clarified that in the load for @uipath and @mistralai found an error that caused the malicious code in these cases did not work.
The most notable part of the attack is related to TanStack. According to Wiz.io and Endor Labs, the attackers used the Fork repository TanStack/router and a separate cell outside the main branch with the hash of the 79ac49eedf740b04b04b04b04bC463cfe5885c. Although the company was not included in the main history of the project, GitHub allowed it to be addressed directly. So the attackers added the dependence of @tanstack/setup with a script for running Bun and the tanstack_runner.js file.
The compromised packages also got a osteocated router_init.js file of about 2.3 MB. When installing, the npm could perform a Git-general script, after which the malicious load was started on the developer's machine or CI-runner. The team’s completion with an error looked less suspicious, as the addiction was optional.
A separate risk is associated with trusted publication through GitHub Actions. The attackers could get a temporary NPm token through OIDC and publish malicious versions without theft of long-lived npm keys. Therefore, the presence of a record of the origin of the assembly showed where the package was assembled, but did not prove that the assembly was allowed and safe.
The Mini Shai-Hulud load searched for GitHub- and ppm tokens, the secrets of GitHub Actions, cloud keys AWS, GCP and Azure, Kubernetes tokens, HashiCorp Vault data, SSH keys and environment variables. On the machines of the developers, malicious code could be fixed through files in .claude and .vscode. Wiz.io also describes the demon g-token-monitor for macOS and Linux related to the GitHub-token verification.
Several channels were used to output data, including the git-tanstack.com domain, the Session network via filev2.getges.org and GitHub-repository-repositories with the theme "Dune". In Python, Wiz.io describes the download transformers.pyz with git-tanstack.com and data theft, including 1Password and Bitwarden password stores.
Aikido, Wiz.io and Endor Labs agree: Mini Shai-Hulud no longer just steals secrets, but tries to turn developers’ access and CI/CD into a new distribution channel.
Security teams should check lock-files, cesci, CI magazines, routerr_init.js, tanstack_runner.js, setup.mjs, @tanstack/setup and access to filev2.getges.org. When signs of launching the infected version, you need to change not only npm-tokens, but also GitHub-access, cloud keys, Kubernetes- and Vault secrets, as well as check your own packages for unexpected publications after May 11, 2026.
