TeamPCP supply chain attack hits TanStack

On May 11, 2026 attackers published dozens of malicious npm package versions in the TanStack ecosystem and related PyPI packages by chaining a pull_request_target Pwn-Request, GitHub Actions cache poisoning, and extraction of OIDC tokens from runner memory to push credential‑stealing Mini Shai‑Hulud payloads (attributed to TeamPCP); the report provides a technical breakdown, IOCs (file hashes, network hosts, persistence artifacts), and recommended mitigation and remediation steps.