On May 11, 2026, an attacker poisoned a single npm package. Ten days later, GitHub's internal repositories were breached, OpenAI forced emergency updates to every macOS app, Mistral AI's SDK was compromised, and Grafana Labs was hit with a ransom demand after their source code was stolen.
This isn't a collection of separate incidents. It's one cascading supply chain attack — the most devastating since SolarWinds.
Here's the complete chain, what went wrong at every link, and what developers and hosting providers must do right now to protect themselves.
The Complete Attack Chain: From npm Package to GitHub Breach
The attack follows a clear five-stage cascade. Each compromised link became the weapon for the next attack.
Stage 1: TanStack npm Packages Poisoned (May 11)
At 19:20 UTC on May 11, an attacker published 84 malicious versions across 42 @tanstack/* npm packages — including the massively popular TanStack Router, TanStack Query, and TanStack Table libraries used by millions of developers.
The attack was technically brilliant and terrifying:
- The attacker forked the TanStack/router repository
- They opened a pull request that triggered a
pull_request_targetworkflow — a known dangerous pattern that runs fork code with repository privileges - The malicious PR poisoned the GitHub Actions cache with a trojanized pnpm store
- When legitimate maintainer PRs were merged later, the release workflow restored the poisoned cache
- Attacker-controlled binaries extracted OIDC tokens directly from the GitHub Actions runner's process memory
This is the first documented case of a malicious npm package carrying valid SLSA provenance — meaning standard supply chain verification tools would have marked these packages as "verified and trusted."
The Worm Mechanism
What made this attack uniquely dangerous was its self-propagating nature. The malicious payload:
- Harvested GitHub tokens, npm tokens, AWS credentials, and other secrets from every infected developer's machine
- Identified npm packages the victim had publish access to
- Modified those packages to inject the same malicious dependency
- Published new compromised releases using the stolen credentials
Each compromised developer became a new infection vector. Within hours, the worm had spread to over 170 npm packages and 2 PyPI packages — 404 malicious versions total — hitting Mistral AI's SDK, UiPath's automation tooling (65 packages), OpenSearch (1.3M weekly npm downloads), and Guardrails AI.
The attacker published all 401 versions within a five-hour window, indicating automated tooling rather than manual work. The threat group behind this — TeamPCP — had been escalating supply chain attacks since February 2026, previously compromising Trivy, KICS, Checkmarx VS Code extensions, Bitwarden CLI, and LiteLLM.
Stage 2: Nx Console VS Code Extension Hijacked (May 18)
One of the Nx team's developers was among those infected by the TanStack worm. Their stolen GitHub credentials gave the attacker push access to the nrwl/nx repository and, through it, access to VS Code Marketplace publishing credentials.
On May 18, the attacker published Nx Console v18.95.0 — a trojanized version of the extension with 2.2 million installations. The malicious version was live for approximately 11 to 18 minutes before being pulled.
The payload was a 498 KB obfuscated multi-stage credential stealer hidden in a dangling orphan commit inside the official nrwl/nx repository. It harvested tokens and secrets from:
- GitHub and npm
- AWS
- HashiCorp Vault
- Kubernetes
- 1Password vaults
- Claude Code configuration files (
~/.claude/settings.json) — marking one of the first payloads designed to harvest AI coding assistant configurations
The payload exfiltrated data through three independent channels: HTTPS, the GitHub API, and DNS tunneling. It also installed a persistent Python backdoor on macOS that used the GitHub Search API as a dead-drop for receiving further commands signed with a 4096-bit RSA key.
Stage 3: GitHub Employee Device Compromised
A GitHub employee opened a workspace with the poisoned Nx Console extension installed. Within seconds, the credential stealer harvested their GitHub internal access tokens, 1Password vault contents, and cloud credentials.
The extension only needed to be active — no user interaction required beyond opening VS Code.
Stage 4: GitHub Internal Repositories Breached (May 19)
Using the stolen credentials, the attacker cloned approximately 3,800 of GitHub's internal repositories. GitHub detected the breach on May 19 and began incident response immediately, rotating critical secrets the same day.
GitHub confirmed:
- No evidence of impact to customer-facing systems
- No evidence of customer account compromise
- Some internal repos contained customer information (support interaction excerpts)
- Affected customers would be notified
The attacker — still operating under TeamPCP — listed the stolen data for sale on a criminal forum at upwards of $50,000 USD.
Stage 5: AI Companies Fall Like Dominoes
OpenAI
Two employee devices were compromised directly by the TanStack worm (not through Nx Console). The attacker gained unauthorized access to a limited subset of internal source code repositories. OpenAI found no evidence that user data, production systems, or intellectual property were compromised, but was forced to:
- Update all security certificates
- Force all macOS users to update to latest app versions
- Set a hard deadline of June 12, 2026 for older app versions
- Deploy
minimumReleaseAgecontrols in package manager configurations - Add provenance validation for all new packages
Mistral AI
Mistral's npm and PyPI SDK packages were directly compromised by the worm. The malicious versions replaced legitimate build scripts with a setup.mjs file that downloaded Bun and executed a payload. In a stroke of luck, the payload referenced a file that didn't exist — rendering the Mistral-specific infections inert. But the credentials stolen during the installation process were still exfiltrated.
Grafana Labs
Grafana's CI/CD pipeline consumed a malicious TanStack package, and the info-stealer module exfiltrated GitHub workflow tokens. Grafana rotated most credentials after learning about the TanStack attack, but one GitHub workflow token slipped through the rotation process. On May 16, the attacker used that single missed token to access Grafana's private repositories and download their source code. They then issued a ransom demand threatening data disclosure.
The Timeline: 10 Days That Shook the Developer Ecosystem
| Date | Event | Impact |
|---|---|---|
| May 11, 19:20 UTC | TanStack packages poisoned | 84 malicious versions across 42 packages |
| May 11, 19:46 UTC | External researcher detects compromise | 20-26 minutes detection time |
| May 11, 22:45 UTC | Worm spreads to 170+ packages | Mistral AI, UiPath, OpenSearch compromised |
| May 12, 01:53 UTC | Malicious packages removed from npm | 5-hour infection window |
| May 14 | OpenAI confirms two employee devices hit | Internal repos accessed, certificate rotation begins |
| May 16 | Grafana Labs receives ransom demand | Source code stolen via missed token rotation |
| May 18, 12:30 UTC | Nx Console v18.95.0 published | 2.2M-install VS Code extension trojanized |
| May 18, 12:48 UTC | Nx Console pulled from marketplace | 18-minute exposure window |
| May 19 | GitHub detects breach of internal repos | ~3,800 repositories cloned |
| May 20 | GitHub publicly confirms breach | Data listed for $50K on criminal forum |
Why This Attack Was Different
Supply chain attacks aren't new. But this cascade introduced several firsts that fundamentally change the threat model for every developer:
1. Valid SLSA Provenance on Malicious Packages
The TanStack packages carried legitimate SLSA provenance signatures because they were published through TanStack's real CI/CD pipeline. Tools that verify supply chain attestations would have increased trust in these packages. This breaks one of the fundamental assumptions of supply chain security.
2. Self-Propagating Worm Mechanism
Previous npm supply chain attacks were targeted — attackers compromised specific packages. Mini Shai-Hulud is different: it turns every infected developer into an attack vector, automatically spreading to every package they can publish. This is the npm equivalent of a biological pandemic.
3. IDE Extensions as Attack Vectors
The Nx Console compromise demonstrates that VS Code extensions are effectively code execution with full system access. Extensions run with the same privileges as the developer, have access to all files, can make network requests, and persist across sessions. The marketplace's security review process didn't catch a 498 KB obfuscated payload.
4. AI Tools as Targets
The payload specifically harvested Claude Code configurations — a clear signal that attackers view AI coding assistants as high-value targets. As more developers integrate AI tools into their workflows, these configurations become treasure troves of API keys, system prompts, and organizational context.
5. Attack Speed vs. Defense Speed
The Verizon DBIR 2026 report, released the same week, confirmed what this cascade demonstrates: vulnerability exploitation now triggers 31% of all breaches, overtaking stolen credentials for the first time in the report's 19-year history. AI has compressed the gap between a flaw being known and a flaw being attacked from months to hours.
Meanwhile, organizations patched only 26% of known exploited vulnerabilities, down from 38% the previous year. The median time for full patching increased to 43 days. The attackers are accelerating while defenders are falling behind.
What Developers Must Do Right Now
Immediate Actions
# 1. Check if you installed any compromised packages
npm ls @tanstack/router @tanstack/query @tanstack/table 2>/dev/null
# 2. Check your npm audit for known vulnerabilities
npm audit
# 3. Review your VS Code extensions
code --list-extensions | grep -i "nrwl\\|angular-console"
# 4. Rotate ALL credentials if you used TanStack packages between May 11-12
# GitHub tokens
gh auth logout && gh auth login
# npm tokens
npm token revoke <token-id>
npm token create
# AWS credentials
aws iam create-access-key --user-name <your-user>
aws iam delete-access-key --user-name <your-user> --access-key-id <old-key>
Lock Down Your Package Manager
# .npmrc - Add release age requirement
# Prevents installing packages published less than 3 days ago
minimum-release-age=3d
# Enable package-lock.json strict mode
package-lock=true
# Disable lifecycle scripts by default
ignore-scripts=true
Secure Your CI/CD Pipeline
# GitHub Actions - Pin actions to commit SHAs, not tags
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
# NEVER use pull_request_target with checkout of PR code
# BAD:
on: pull_request_target
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }} # DANGEROUS
# GOOD: Use pull_request instead
on: pull_request
VS Code Extension Security
- Review installed extensions regularly — run
code --list-extensions - Check extension update changelogs before updating
- Use VS Code extension profiles to limit which extensions run in sensitive workspaces
- Enable restricted mode for untrusted workspaces
- Consider using a separate VS Code profile for open source development vs. production work
What Hosting Providers and Platform Engineers Must Do
If you run a hosting platform, PaaS, or manage deployment infrastructure, this attack has direct implications for your security posture:
1. Isolate Build Environments
Build pipelines that run npm install should execute in ephemeral, sandboxed containers with no access to production credentials. The TanStack worm harvests every credential it can find — if your build server has access to production databases or customer data, you're one compromised dependency away from a breach.
2. Implement Dependency Firewalls
Use a private npm registry (Verdaccio, Artifactory, or npm Enterprise) that proxies and caches packages. Configure it to:
- Block packages published less than 72 hours ago
- Require manual approval for major version bumps
- Alert on packages with lifecycle scripts
3. Monitor for Credential Exfiltration
The TanStack worm exfiltrated data through HTTPS, GitHub API calls, and DNS tunneling. Your build environments should:
- Block outbound DNS to non-approved resolvers
- Restrict outbound HTTPS to package registries only during
npm install - Log all GitHub API calls from build environments
4. Zero-Trust for Internal Tools
GitHub's breach happened because one employee's VS Code extension was compromised. Internal repositories should require:
- Hardware security keys for access (not just SSO tokens)
- Short-lived credentials that expire in minutes, not days
- Geographic and device-based access restrictions
The Bigger Picture: May 2026's Security Crisis
This cascade doesn't exist in isolation. May 2026 has been the worst month for hosting and developer security in recent memory:
- cPanel zero-day allowed root access on thousands of shared hosting servers
- Foxconn ransomware exposed 8TB of data from Apple, Nvidia, Intel, and Google supply chains
- Nginx-Rift CVE-2026-42945 revealed an 18-year-old critical RCE affecting ~30% of web servers
- Cloudflare routing failure took down thousands of sites
- Google Cloud IAM privilege escalation affected multi-tenant environments
The TanStack cascade connects all of these dots: we're seeing a coordinated acceleration in the sophistication and speed of attacks across every layer of the developer stack — from package managers to IDE extensions to cloud infrastructure.
Lessons from the Cascade
Trust is the vulnerability. The entire attack chain exploited trust relationships: npm trusts package maintainers, developers trust TanStack, VS Code trusts marketplace extensions, GitHub trusts employee devices, CI/CD trusts cached dependencies.
Every link in this chain was "verified" and "trusted" by the systems designed to protect it. SLSA provenance said the packages were legitimate. The VS Code marketplace said the extension was safe. GitHub's SSO said the employee was authorized.
The lesson isn't that trust is wrong — it's that trust must be verified continuously, not once. Static verification (provenance attestation at publish time) fails against an attacker who compromises the publisher. Continuous verification (runtime monitoring, behavioral analysis, anomaly detection) is the only model that can catch these attacks before they cascade.
For every developer, platform engineer, and hosting provider reading this: the supply chain is no longer a theoretical threat vector. It's the primary attack surface. Treat your package.json like you treat your .env file — as a security-critical configuration that can compromise everything downstream.



