Security Boulevard

The TanStack Breach and the Fragility of Trusted Code

On May 11, 2026, several TanStack packages on npm were briefly replaced with malicious versions, raising fresh concerns about how attackers can use trusted open-source software to reach developer ...
Cryptopolitan on MSN

Mistral AI and TanStack hit in supply chain attack with SLSA-attested malware

Attackers compromised the official Mistral AI Python package on PyPI along with hundreds of other widely-used developer packages, exposing GitHub tokens, cloud credentials, and password vaults across ...

Supply chain attack on TanStack: 42 packages compromised

Numerous TanStack packages on npm have suffered a supply chain attack, apparently as part of the “Mini Shai-Hulud” attack wave.

Protect your enterprise now from the Shai-Hulud worm and npm vulnerability in 6 actionable steps

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps the six gaps it ...