Mini Shai-Hulud Hits TanStack npm Packages

A widespread supply-chain campaign (Mini Shai‑Hulud, attributed to TeamPCP) hijacked legitimate release pipelines to publish 84 malicious npm package versions across 42 @tanstack/* packages on May 11, 2026, and later affected other npm and PyPI artifacts; the payloads are credential-stealing/daemonizing malware targeting CI systems (GitHub Actions OIDC, GitLab, CircleCI) with multiple exfiltration channels and destructive capabilities, and the advisory recommends rotating credentials and reviewing cloud logs.