Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines

TeamPCP’s Mini Shai-Hulud campaign used hijacked GitHub OIDC tokens to spread a credential-stealing worm through TanStack npm packages.

Six-minute supply chain blitz pushed 84 malicious versions with credential theft and disk-wiping code

Hundreds of packages across npm and PyPI have been compromised in a new Shai-Hulud supply-chain campaign delivering credential-stealing malware targeting developers.

Hundreds of software packages are affected, once again threatening enterprise credentials on coders’ machines.

TanStack had 2FA, OIDC publishing, and Sigstore provenance on every release. The Mini Shai-Hulud worm published 84 malicious versions anyway. The CI/CD Trust-Chain Audit Grid maps…

Where it’s been well and truly forked, seemingly without Microsoft’s code locker noticing

May 14 : OpenAI said on Wednesday it found no evidence that its user data was accessed after a security issue involving a supply-chain attack on TanStack npm, an open-source…

OpenAI says two employees' devices were breached in the recent TanStack supply chain attack that impacted hundreds of npm and PyPI packages, causing the company to rotate…

Attackers stole a limited amount of internal credential material after malware hidden in poisoned packages reached two staff machines

Mini Shai-Hulud hit 2 OpenAI devices via TanStack, exposing limited credentials and forcing macOS certificate updates by June 12, 2026.