On May 11, 2026, at 19:20 UTC, someone published a compromised version of @tanstack/react-router. Not an attacker with stolen credentials. The official TanStack release pipeline, with its verified OIDC identity, signed a malicious package with a perfectly valid SLSA Build Level 3 provenance.
Twelve million weekly downloads. A Sigstore certificate saying "this binary really came from that repo." All true. All authentic. All compromised.
It's called Mini Shai-Hulud, the fourth wave of a campaign TeamPCP has been running since 2025, and the name comes from Dune. The giant worms that cross the desert and devour everything. The metaphor is precise to the point of discomfort.
How you compromise a pipeline without stealing anything
The TanStack attack is a chain of three vulnerabilities, none of which would have been enough on its own.
First, a disguised fork (zblgg/configuration, renamed to slip past fork-list searches). Then a pull request that triggers a pull_request_target workflow, the GitHub Actions trigger that runs the attacker's fork code instead of the parent repo's. That code poisons the GitHub Actions pnpm cache.
When the legitimate maintainer, hours or days later, merges one of their PRs to main, the release workflow restores the poisoned cache and builds the package. At that point the attacker's binary reads the OIDC token straight from the runner's memory, from /proc/<pid>/mem, and publishes the malicious package with the official pipeline's cryptographic signature.
No stolen npm token. No compromised account. 2FA would have done nothing, because whoever published the package was, in a technical sense, the project's official pipeline.
Snyk filed it as CVE-2026-45321, CVSS 9.6. Forty-two TanStack packages, eighty-four versions. Then the worm self-propagated. Mistral AI. UiPath. Guardrails AI. OpenSearch. By the end of the day Snyk counted 170 compromised packages, 518 million cumulative downloads.
The dead man's switch
The part that hits hardest isn't the sophistication of the vector. It's what the payload does once inside.
The malware installs persistence hooks inside Claude Code (~/.claude/setup.mjs, ~/.claude/router_runtime.js) and VS Code. It exfiltrates credentials through the Session network, a decentralized, end-to-end encrypted messenger, because there's no C2 to block anymore.
And then, to prevent token rotation, it plants a dead man's switch: a service (systemd on Linux, LaunchAgent on macOS) that hits api.github.com/user every sixty seconds with the stolen token. If the token gets revoked and GitHub returns 40x, the service runs rm -rf ~/. Home directory wipe. 24-hour TTL.
Before revoking a compromised token, you have to disarm the trigger. Look for ~/.local/bin/gh-token-monitor.sh, ~/.config/gh-token-monitor/, the LaunchAgent. Get the order wrong, you lose the files.
There's also a geopolitical clause in the code. If the system locale is Russian, the malware exits silently. If the system looks like it's in Israel or Iran, there's a branch with a 1-in-6 chance of running rm -rf /. Microsoft documented this while analyzing the Mistral package on PyPI. A malware with opinions.
What actually changed
For fifteen years, open source defense has been built around one idea: cryptographically sign binaries so we know where they come from. Sigstore, SLSA, provenance attestations, npm trusted publishing. All of this work rests on an implicit assumption: if the pipeline is authentic, the code is trustworthy.
Mini Shai-Hulud is the first documented case where that equivalence breaks cleanly and repeatably. The package was signed by the right pipeline. The pipeline ran the wrong code. The certificate is valid. The malware is inside.
A cryptographic signature no longer proves the code is clean. It proves only that it was built by the right pipeline. Those are different things.
It's not an isolated technical problem, it's a mental-model problem. We'll keep trusting provenance because it beats no provenance, but the old syllogism (signed package equals safe package) died on May 11 at 19:20 UTC.
What to do Monday morning
For anyone running Node repositories, the minimum procedure has changed. Standard npm install is no longer enough, because it runs preinstall and postinstall scripts automatically. The baseline pattern becomes npm ci --ignore-scripts, followed by npm audit --audit-level=moderate and npm audit signatures. The --ignore-scripts flag is the critical bit. It disables automatic execution of lifecycle hooks, which is exactly the Mini Shai-Hulud vector.
Then grep for known patterns: setup.mjs, bun_environment.js, references to SHA1HULUD, shai-hulud, strings like OhNoWhatsGoingOnWithGitHub in commits. Check whether there's a workflow discussion.yaml or shai-hulud-workflow.yml that nobody on your team added. Look for self-hosted runners registered with the name SHA1HULUD.
On GitHub, enable Dependabot alerts, security updates, malware alerts, secret scanning, and push protection. On npm, switch to trusted publishing instead of tokens, and use WebAuthn instead of TOTP for 2FA.
If you find something, do not run npm install. Disarm the dead man's switch, then isolate the machine, then rotate the tokens. In that order.
The checklists aren't new. The awareness that you have to run them on signed packages too, that part is.
Why this matters if you don't write code
Every SaaS application you use is built on a chain of open source dependencies. TanStack is one of the most-used libraries in the React ecosystem. Mistral AI is the model someone built their internal chatbot on. Guardrails AI is the safety layer that's supposed to keep models from going off the rails. All compromised, all signed, all distributed by their official pipeline.
When people say "supply chain attack" it sounds like a specialist problem. It's actually the structural problem of a digital economy that outsourced trust to the code of strangers, then outsourced the verification of that code to cryptographic certificates, and is now finding out the certificates are certifying the wrong thing.
Frank Herbert wrote it. The desert is vast, the worm is invisible until it's too late, and the secret to crossing it is not walking in a regular rhythm. The release pipeline of open source software is the regular rhythm. TeamPCP is the worm. The spice, as always, must flow.