42 TanStack Packages Compromised, 12 Million Weekly Downloads Poisoned: The npm Supply Chain Attack Every Vibe Coder Must Understand
By EndOfCoding
On May 11, 2026, security researchers at Socket disclosed that 42 @tanstack/* packages — covering TanStack Query, Table, Router, Form, and their full ecosystem — were compromised in an attack named Mini Shai-Hulud. The attack also hit @mistralai packages. Combined weekly downloads: over 12 million. The mechanism was novel and deeply alarming: attackers hijacked OIDC (OpenID Connect) tokens in GitHub Actions CI/CD pipelines to publish malicious package versions that carried valid SLSA Build Level 3 attestations. This is the first documented npm worm that successfully bypassed one of the most trusted supply chain security certifications in the Node.js ecosystem. For vibe coders, this attack is not an abstract enterprise security problem. TanStack Query is in millions of React and Next.js applications — possibly including apps you've shipped or are actively building. If you've run npm install in the last 48 hours on any project using @tanstack/* or @mistralai/* packages, you need to read this post before continuing.
What You'll Learn
You'll understand exactly how the Mini Shai-Hulud attack worked and why it bypassed SLSA Build Level 3 attestation, which packages were compromised and what the malicious payload did, the specific vibe coding workflows that make this attack vector more dangerous (and what to do about them), a concrete 30-minute remediation checklist for any project using @tanstack/* packages, and the supply chain security practices that should be standard in every vibe-coded application going forward.
How the Mini Shai-Hulud Attack Worked
The technical mechanism is what makes this attack historically significant:
Mini Shai-Hulud Attack Chain (May 11, 2026):
Step 1: GitHub Actions OIDC token hijack
├── TanStack packages are published via GitHub Actions CI/CD
├── GitHub Actions uses OIDC (OpenID Connect) to authenticate with npm
│ without storing long-lived API keys in the repository
├── OIDC works by GitHub issuing short-lived JWT tokens to the runner
│ that npm trusts for the duration of the publish workflow
├── Attack vector: the attacker compromised a dependency of the publish
│ workflow itself — injecting code that exfiltrated the OIDC token
│ during a legitimate CI run before it expired
└── Result: attacker had a valid, short-lived npm publish token for
the @tanstack scope
Step 2: Malicious publish with valid attestation
├── Attacker published malicious versions of 42 packages using the
│ stolen OIDC token — appearing as legitimate TanStack CI publishes
├── Because the publish used the authentic TanStack GitHub Actions runner
│ context (via the stolen token), the packages received valid
│ SLSA Build Level 3 provenance attestations
├── SLSA Level 3 attestation means: 'this was built by the expected CI
│ system from the expected source — no tampering'
├── The attestation was technically accurate for the publish mechanism,
│ not for the content — a subtle but critical distinction
└── npm's attestation verification passes: the package 'looks' legitimate
to automated supply chain checks
Step 3: npm worm behavior
├── The malicious packages included code that could propagate to
│ other packages in the same publisher scope
├── This is the 'worm' component: once published, the malicious code
│ attempted to spread to additional @tanstack/* packages
├── Affected packages: 42 @tanstack/* packages + @mistralai packages
└── Total exposure: 12M+ weekly downloads across affected packages
The payload:
├── Credential harvesting: reads environment variables containing API keys,
│ database URLs, and secrets common in Next.js/Vite development environments
├── Data exfiltration: sends harvested credentials to attacker-controlled endpoint
└── Persistence: installs a postinstall hook that re-executes on every npm install
This is why it's historically significant: previous supply chain attacks required either compromising the maintainer's npm account (stopped by 2FA) or injecting into the source repository (stopped by signed commits). Mini Shai-Hulud found a third vector: compromise the CI/CD workflow itself, where the token is live and legitimate during the publish window.
Why Vibe Coding Makes This Attack More Dangerous
Vibe coding workflows have specific characteristics that amplify supply chain attack risk:
Vibe coding supply chain risk amplifiers:
1. Frequent dependency installation in dev environments
├── Vibe coders spin up new projects constantly — each new project
│ runs npm install and pulls fresh copies of all dependencies
├── Dev environments often have more sensitive env vars than production:
│ → Database admin connections, not read-only replicas
│ → Full Stripe/Anthropic/Supabase API keys, not restricted ones
│ → GitHub personal access tokens with broad repo permissions
└── The malicious postinstall hook runs on EVERY npm install
— including the casual 'let me try this in a new project' workflow
2. AI-generated code often imports popular packages without pinning
├── When you ask Claude Code or Cursor to scaffold a project,
│ the generated package.json typically uses ^ (caret) semver ranges
├── Caret ranges mean: npm installs the latest compatible version,
│ not the version that was vetted when the code was generated
├── A compromised minor or patch version of @tanstack/react-query
│ that satisfies ^5.0.0 will be installed silently
└── Most vibe coders don't review package.json lockfile changes
after AI generates project scaffolding
3. Cloud IDE and agent environments have elevated credentials
├── Claude Code, Cursor, and similar tools often run with access to:
│ → Your full development file system (including .env files)
│ → Your git credentials
│ → Your local AWS/GCP/Azure CLI credentials
├── If a compromised package runs in this environment, it has access
│ to all of the above — far beyond a normal npm package's scope
└── The attack surface of a 'just install and try it' vibe coding workflow
includes credentials that secure production systems
4. Shared dev containers and AI workspaces
├── Many vibe coders share dev containers, Gitpod environments, or
│ GitHub Codespaces configurations across projects
├── A compromised package in one project's install can affect secrets
│ that are mounted into all projects in a shared workspace
└── The blast radius is larger in multi-project shared environments
Which Packages Were Compromised
Socket's disclosure covers these confirmed affected packages:
Confirmed compromised @tanstack/* packages (check against your package.json):
Core packages (highest exposure):
├── @tanstack/react-query — React data fetching, 9M+ weekly downloads
├── @tanstack/query-core — Core query logic
├── @tanstack/react-table — Headless table UI, 2M+ weekly downloads
├── @tanstack/react-router — File-based routing for React
├── @tanstack/react-form — Form state management
├── @tanstack/react-virtual — Virtual scrolling
└── @tanstack/store — Framework-agnostic state management
Additional affected packages:
├── @tanstack/vue-query, @tanstack/angular-query, @tanstack/solid-query
├── @tanstack/query-async-storage-persister
├── @tanstack/query-broadcast-client-experimental
├── @tanstack/react-query-devtools
└── [Full list of 42 packages at Socket's disclosure URL]
@mistralai affected packages:
├── @mistralai/mistralai — Main Mistral AI SDK, 500K+ weekly downloads
└── [Check Socket's disclosure for full list]
Versions: specific compromised version numbers were not fully disclosed
at time of writing — check Socket's blog and GitHub Security Advisories
for the precise version ranges.
30-Minute Remediation Checklist
If any project you work on uses these packages, follow this checklist now:
Immediate remediation (do this before writing another line of code):
□ Step 1: Check if you installed compromised versions (5 minutes)
→ Run: npm audit in each affected project
→ Check: your package-lock.json for @tanstack/* and @mistralai/*
→ Cross-reference: against Socket's published compromised version list
(https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud)
→ If you find compromised versions: treat your dev machine as compromised
□ Step 2: Rotate credentials if you ran npm install in the last 48 hours
in a project with @tanstack/* (15 minutes)
→ Rotate IMMEDIATELY:
├── Anthropic/OpenAI API keys
├── Database connection strings
├── Supabase service role key and anon key
├── Stripe API keys
├── GitHub personal access tokens
├── Vercel tokens
└── Any API key in your .env files
→ How to rotate:
├── Anthropic: console.anthropic.com → API Keys → revoke and regenerate
├── Supabase: project settings → API → regenerate keys
├── Stripe: dashboard.stripe.com → API Keys → roll key
└── GitHub: github.com → Settings → Developer Settings → Personal Access Tokens
□ Step 3: Update the packages (5 minutes)
→ npm update @tanstack/react-query @tanstack/react-table [etc.]
→ Verify the updated versions are NOT in the compromised version list
→ The TanStack team has published clean versions — install those
□ Step 4: Add package integrity verification to your workflow (5 minutes)
→ Enable npm audit in CI: add 'npm audit' as a CI step
→ Add Socket.dev GitHub app to your repos (free for open source):
→ github.com/marketplace/socket-security
→ Scans PRs for supply chain attacks including OIDC token hijacks
→ Pin critical packages to exact versions in package.json
(use exact version, not ^ caret ranges, for security-critical packages)
□ Step 5: Verify no postinstall hooks are persisting (5 minutes)
→ Run: cat node_modules/@tanstack/react-query/package.json | grep scripts
→ Clean reinstall: rm -rf node_modules && npm ci (uses lockfile exactly)
→ If npm ci produces different packages than your lockfile specifies:
→ Your lockfile may have been modified — investigate before proceeding
Supply Chain Security Practices for Vibe Coders
The Mini Shai-Hulud attack exposes the supply chain security gap in typical vibe coding workflows. These practices should be standard:
Supply chain security checklist for vibe-coded applications:
1. Dependency management
├── Use npm ci instead of npm install in CI/CD — respects lockfile exactly
├── Commit your lockfile (package-lock.json or yarn.lock) — always
├── Review lockfile changes in PRs — especially when AI updates dependencies
├── Pin security-critical packages to exact versions
└── Run npm audit before every deploy, not just on new installs
2. Secret isolation in dev environments
├── Use .env.local for dev secrets, never .env (which often gets committed)
├── Use different API keys for dev and production — rotate dev keys freely
├── Never put production database URLs in dev .env files
├── Use AWS IAM roles / workload identity instead of static keys where possible
└── Treat your dev machine as compromised periodically — rotate keys monthly
3. AI tooling security
├── When Claude Code or Cursor scaffolds a project, review the package.json
│ before running npm install — know what you're installing
├── Run socket check (or equivalent) before committing new dependencies
├── Don't blindly accept AI suggestions to add new npm packages
└── Run AI agent sessions with minimal filesystem access when possible
4. CI/CD hardening (against OIDC token hijacks specifically)
├── Pin GitHub Actions to specific commit SHAs, not 'v2' tags:
│ → uses: actions/checkout@v4 → uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
├── Use 'GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}' not personal access tokens
├── Set id-token: write only in workflows that actually need it
├── Review third-party actions before adding them to publish workflows
└── Add Dependabot to update action dependencies — old action versions
are common attack vectors
Why SLSA Level 3 Didn't Catch This
The most important lesson from Mini Shai-Hulud for security-aware vibe coders:
SLSA Level 3 guarantees vs. what Mini Shai-Hulud bypassed:
What SLSA Level 3 guarantees:
├── Build provenance: the package was built by a specific CI system
│ from a specific source repository at a specific commit
├── Non-forgeable: the provenance attestation is cryptographically signed
│ and cannot be created outside the designated build environment
└── Build integrity: the build environment is isolated from manual access
What SLSA Level 3 does NOT guarantee:
├── Source integrity: if the source repository is compromised, SLSA
│ Level 3 attestation includes the compromised code
├── Workflow integrity: if the CI workflow itself is compromised
│ (via a malicious dependency of the workflow), the attestation
│ reflects the compromised workflow's output — accurately
└── Token security: SLSA doesn't protect against token exfiltration
during a legitimate, expected CI run
The Mini Shai-Hulud insight:
├── The attack didn't compromise the provenance attestation mechanism
├── It compromised the publish workflow before the attestation was created
├── The attestation accurately reflects 'published by TanStack CI'
│ because the stolen token made it appear that way
└── Lesson: SLSA Level 3 is necessary but not sufficient;
workflow security is a separate attack surface that requires
separate hardening (pinned action SHAs, minimal OIDC permissions,
GitHub Actions security reviews)
Common Challenges
'How do I know if I actually installed the compromised versions?' — Check Socket's disclosure at socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud for the specific compromised version numbers. Then run cat package-lock.json | grep -A3 @tanstack/react-query (or the specific package) to see which version is locked in your project. If your locked version matches the compromised version range, treat your environment as compromised and rotate credentials immediately. 'Do I need to rotate credentials if I just had @tanstack installed but didn't run npm install in the last 48 hours?' — If your last npm install predates the compromised versions being published (before May 11, 2026), and your lockfile shows a version that predates the attack, your risk is significantly lower. Still verify against the specific compromised version numbers. When in doubt, rotating API keys costs 15 minutes; a credential breach costs far more. 'Should I stop using TanStack packages entirely?' — No. TanStack is an excellent, well-maintained library ecosystem. The attack was sophisticated and novel — not a reflection of TanStack's code quality or maintainership practices. The TanStack team responded quickly. The right response is to verify you have clean versions, apply the workflow hardening practices above, and continue using the library with better supply chain hygiene. 'How do I talk to my team about this without causing panic?' — Frame it as 'supply chain attacks are now sophisticated enough to bypass attestation systems we trusted, so we need to add another layer.' The credential rotation is the most time-sensitive action. The CI/CD hardening (pinned SHA actions, minimal OIDC scopes) is the structural fix that reduces recurrence risk. Both are reasonable, professional security responses — not emergency overreactions.
Advanced Tips
Add Socket.dev to your GitHub repos today — it's free for open source. Socket scans every PR for supply chain attacks, including OIDC token compromise patterns. It would have flagged the compromised @tanstack packages before they were merged into projects that monitor their PRs. This is the single highest-leverage supply chain security action available for free. Build a secrets rotation runbook before you need it. The most painful part of responding to the TanStack attack was that many developers had to figure out how to rotate each key under time pressure. Create a runbook now: list every secret in your .env files, how to rotate each one, and what to check after rotation. A 30-minute investment now saves hours of stress during the next incident. Treat your dev environment like it's compromised once per quarter. Schedule a quarterly key rotation as routine hygiene, not emergency response. Many of the credentials that postinstall attacks harvest have been sitting in .env files for months or years. Regular rotation limits the value of any single credential theft. Read Socket's supply chain security blog weekly. Socket is the most current source on npm supply chain attacks — they discovered Mini Shai-Hulud and have consistently published the best technical analysis of supply chain attacks against the Node.js ecosystem. The Vibe Coding Academy Security Track (Module 8: Testing AI-Generated Code) includes supply chain security as a core topic — the TanStack attack is now a case study. The Vibe Coding Ebook Chapter 19 (The Security Playbook) covers supply chain security for vibe-coded applications in detail. Subscribe to supply chain security alerts at EndOfCoding.
Conclusion
The Mini Shai-Hulud attack on @tanstack/* and @mistralai packages is a watershed moment in npm supply chain security. It's the first documented attack to produce validly-attested SLSA Build Level 3 malicious packages by compromising the CI/CD publish workflow instead of the attestation mechanism itself. For vibe coders, the immediate action items are clear: verify your installed package versions against Socket's disclosure, rotate credentials if you're in the exposure window, and add Socket.dev to your GitHub repos. The structural lesson is equally important: vibe coding workflows create elevated credential exposure in dev environments, and supply chain attacks are sophisticated enough to exploit that exposure even when the packages look legitimate according to the attestation systems we trusted. The supply chain security practices in this post — pinned action SHAs, minimal OIDC scopes, separate dev and production secrets, regular credential rotation — are not advanced security theater. They're the baseline hygiene that every vibe coder should have in place before the next attack. The Vibe Coding Academy has updated its security curriculum to include this attack as a case study. Stay ahead of supply chain threats at EndOfCoding.