A sophisticated supply chain attack dubbed "Mini Shai-Hulud" has compromised dozens of popular open source packages, affecting major technology companies and exposing millions of developers to potential credential theft and system compromise.

The attack, which peaked on May 11, 2026, targeted the widely-used TanStack npm packages through a complex exploitation chain that combined GitHub Actions vulnerabilities with malicious code injection. Within hours, 84 malicious versions across 42 TanStack packages were published to the npm registry, the primary repository for JavaScript packages.

How the Attack Unfolded

According to TanStack's detailed postmortem, the attackers executed their plan in two phases. First, they poisoned GitHub Actions cache by creating a malicious fork and opening a pull request that triggered automated workflows. The attack exploited the "pull_request_target" pattern, which allows external contributors to run code in the target repository's security context.

"An attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target 'Pwn Request' pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process," TanStack explained in their incident report.

The malicious code harvested credentials from common locations including AWS metadata services, Google Cloud Platform credentials, Kubernetes service tokens, SSH private keys, and GitHub authentication tokens. The stolen data was then exfiltrated through the Session/Oxen messenger network, making it difficult to block through traditional network security measures.

Major Companies Affected

OpenAI confirmed that two employee devices in their corporate environment were impacted by the attack. In a security advisory published May 13, 2026, the company stated that "limited credential material was successfully exfiltrated from these code repositories" but emphasized that no customer data or intellectual property was compromised.

As a precautionary measure, OpenAI is rotating all code-signing certificates for their applications and requiring macOS users to update their apps by June 12, 2026. "Once we fully revoke our certificate on June 12, 2026, new downloads and launches of apps signed with the previous certificate will be blocked by macOS security protections," the company warned.

The attack's self-propagating nature meant that once a developer's machine was compromised, the malware could enumerate other packages they maintained and republish them with the same malicious injection, creating a cascading effect across the open source ecosystem.

Rapid Detection and Response

Security researcher Ashish Kurmi, working for StepSecurity, detected the malicious packages within 20 to 26 minutes of their publication. All affected versions were quickly deprecated, and npm security engaged to remove the malicious tarballs from the registry.

TanStack issued an all-clear status on May 15, 2026, after completing a comprehensive security audit. "Every currently-available published version of every TanStack package — Router and Start included — is safe to install," the company confirmed.

Broader Implications for Open Source Security

The incident highlights the vulnerability of modern software development, which relies heavily on interconnected open source libraries and automated publishing workflows. OpenAI noted in their response that "attackers are increasingly targeting shared software dependencies and development tooling rather than any single company."

The attack represents a significant evolution in supply chain threats, demonstrating how sophisticated actors can exploit the trust relationships built into modern development platforms. Unlike traditional attacks that target individual organizations, this approach allows attackers to compromise multiple companies simultaneously through shared dependencies.

Security experts recommend that organizations implement additional safeguards including package manager configurations with minimum release age requirements, enhanced validation of third-party components, and improved monitoring of development environments. The incident has also renewed calls for better security practices in open source package management and more robust verification of package integrity.

For developers who may have installed affected packages on May 11, 2026, security professionals strongly recommend rotating all accessible credentials including AWS, Google Cloud, Kubernetes, Vault, GitHub, npm, and SSH keys from any potentially compromised systems.