Mini Shai-Hulud tears at OSS trust

ReversingLabs and other researchers describe a renewed Mini Shai-Hulud campaign that has compromised more than 160 npm packages (with some sources reporting 169 package names and 373 malicious package-version entries), including 42 @tanstack packages and widely used modules with millions of weekly downloads; the malware harvests npm/GitHub/cloud tokens from developer and CI environments to publish additional malicious packages and spread through the software supply chain, with recommendations to rotate secrets, audit dependencies and lockfiles, enforce MFA, and secure publishing workflows.