On May 11, 2026,the popular open-source project TanStack suffered a highly sophisticated supply chain attack. The incident affected not only TanStack itself but also more than 160 npm and PyPI packages, including Mistral AI, UiPath, OpenAI, and Grafana Labs, resulting in the release of more than 400 malicious versions in total.Launched by a threat group known as TeamPCP and dubbed “Mini Shai-Hulud,” this attack starkly revealed the vulnerabilities of the open-source ecosystem in modern software development and served as a wake-up call for security in the Web3 space.
A Recap of the TanStack Supply Chain Attack

The attack occurred between 19:20 and 19:26 UTC on May 11, 2026. In just six minutes, the attackers released 84 malicious versions of npm packages under 42@tanstacknamespaces. Notably, the attackers did not directly steal npm credentials or gain access to maintainer accounts through phishing; instead, they exploited a series of vulnerabilities in GitHub Actions workflows.
- Exploitation Chain: The attack chain involved three key GitHub Actions vulnerabilities:
pull_request_targetimproper workflow configuration, GitHub Actions cache poisoning, and runtime OpenID Connect (OIDC) token extraction. The attacker first created a spoofed branch in the TanStack/router repository and submitted a pull request containing a malicious payload. Due topull_request_targetconfiguration issues with the workflow, this pull request was executed in an environment with permissions for the base repository, allowing the attacker to inject malicious content into the GitHub Actions cache.Subsequently, when a legitimate maintainer merged the code and triggered the release workflow, the poisoned cache was restored, enabling the attacker to directly extract OIDC tokens from the memory of the GitHub Actions runner process. - Malicious Payload and Propagation: The malicious payload used in this attack, known as “Mini Shai-Hulud,” is a self-propagating credential-stealing worm.Once an infected package is installed, the malicious code executes within npm lifecycle hooks, stealing a variety of sensitive information, including GitHub tokens, npm tokens,AWS, GCP, and Azure credentials, Kubernetes service account tokens, HashiCorp Vault tokens, SSH keys, and environment variables.The worm also identifies other npm packages for which the victim has publishing permissions, modifies the archives of these packages to inject the same malicious dependency, increments the version number, and uses the stolen credentials to publish new infected versions, thereby enabling self-propagation.
- Stealth and Impact: The danger of this attack lies in the fact that the malicious packages were published through TanStack’s legitimate release pipeline and carried valid npm provenance attestations.This means that these malicious versions are virtually indistinguishable from legitimate versions using standard verification methods and even pass SLSA provenance checks and validation of valid signature certificates. The attack spread rapidly, leading to the theft of credentials from OpenAI’s internal source code repositories, the download of Grafana Labs’ codebase, and the compromise of multiple high-download-volume packages, such as
@tanstack/react-router(over 12.7 million weekly downloads).
A Security Wake-up Call for the Open-Source Ecosystem
The TanStack incident highlights the growing complexity and vulnerability of modern software supply chains and serves as a wake-up call for the entire open-source ecosystem:

- CI/CD Pipelines as a Major Attack Surface: The attack demonstrates that attackers are no longer targeting just source code repositories or credentials; instead, they are setting their sights on the continuous integration/continuous deployment (CI/CD) pipelines themselves, including caches, workflow permissions, and dependency resolution systems. Build pipelines have become a major attack surface in modern software development.
- Limitations of Traditional Security Measures: Even projects that have enabled two-factor authentication (2FA) and followed best practices such as SLSA provenance verification may be unable to defend against such sophisticated attacks that exploit the trust chain within CI/CD systems.
- Blurred Trust Boundaries: The attack exploits a vulnerability in GitHub Actions that spans the “fork-to-base” trust boundary, allowing malicious code from a forked repository to execute under the permissions of the base repository—thereby blurring the traditional trust boundary for external contributions.
- The Threat of “Worm-Like” Propagation: The self-propagating nature of the malicious payload means that an initial compromise can rapidly spread throughout the dependency graph, affecting hundreds or even thousands of downstream projects and causing widespread and far-reaching damage.
Protection Strategies in the Web3 Space
Because Web3 projects manage vast amounts of digital assets, they are particularly attractive targets for supply chain attacks. Supply chain attacks can directly lead to the theft of user funds, the exposure of private keys, or the deployment of malicious smart contracts—consequences that are often irreversible. Therefore, Web3 projects must strengthen their defenses in the following areas:
1. Strengthen Development Processes and CI/CD Security

- Strict GitHub Actions configuration: Carefully review all GitHub Actions workflows, particularly those using
pull_request_targettriggers, to ensure they do not execute code from forked repositories under insecure permissions. - Credential Management and Rotation: Strictly manage and periodically rotate all sensitive credentials used in CI/CD pipelines (such as cloud service keys, API tokens, and SSH keys).
- Cache Security: Implement strict cache policies to avoid sharing or reusing caches that may be compromised in CI/CD environments, especially when handling code from untrusted sources.
- Provenance Verification and Additional Security Checks: Although SLSA provenance verification can be bypassed, it should still be used as a foundational security measure. At the same time, deploy additional security software to verify the provenance and integrity of new packages, such as configuring
minimumReleaseAgepackage manager configurations to mitigate the immediate risk posed by newly released malicious packages.
2. Dependency Management and Software Bill of Materials (SBOM)
- Comprehensive Dependency Audits: Regularly audit all third-party dependencies in the project—including both direct and indirect dependencies—to ensure they come from trusted sources and are free of known vulnerabilities.
- Generate and Maintain SBOMs: Generate and maintain Software Bill of Materials (SBOMs) for all Web3 applications, clearly documenting all components and their versions so that the scope of impact can be quickly identified when vulnerabilities are discovered.
- Dependency Cooling Policy: Implement a dependency cooling policy—such as blocking the immediate installation of newly released packages—to reduce exposure to fast-moving attacks.

3. Code Integrity and Signature Infrastructure Protection
- Code Commit Signing: Enforce GPG signing of all code commits and verify the signatures to ensure code integrity and trusted origin.
- Protection of Signing Infrastructure: Apply the highest level of protection to the infrastructure used for code signing and binary distribution to prevent attackers from generating malware with legitimate signatures.
- Static and Dynamic Code Analysis: Integrate static application security testing (SAST) and dynamic application security testing (DAST) tools into the CI/CD process to detect potential vulnerabilities and malicious code.
4. Developer Education and User Protection
- Security Awareness Training: Train development teams on Web3-specific supply chain attack vectors, such as how malicious npm packages can steal private keys, how compromised development tools can modify transaction parameters, and social engineering attacks targeting package maintainers.
- User Permission Restrictions: Recommend that users limit the permissions granted when interacting with DApps and implement multi-factor authentication for high-risk operations.
- Hardware Wallets and Asset Segregation: Encourage users to store long-term assets in hardware wallets and segregate assets with different risk levels to minimize potential losses.

The TanStack supply chain attack once again demonstrates that Web3 security is not limited to smart contracts alone, but extends to every stage of the software development lifecycle. Only by comprehensively enhancing supply chain security awareness and defensive capabilities can the Web3 ecosystem better withstand increasingly complex threats.



