The Defense That Was Supposed to Work
SLSA (Supply-chain Levels for Software Artifacts) provenance attestation was the industry's answer to supply chain attacks. It cryptographically links a published package to its build process and source code — proving that the package you install was built from the repository you can audit. Google championed it. GitHub integrated it. The npm ecosystem adopted it. And on May 11, 2026, the Shai-Hulud worm defeated it.
Between 19:20 and 19:26 UTC, 84 malicious npm package artifacts were published across 42 packages in the @tanstack namespace — including @tanstack/react-router with over 12 million weekly downloads. The malicious packages passed provenance attestation checks. They were indistinguishable from legitimate packages by every automated verification system. No prior supply chain attack had achieved this.
How They Did It
TanStack traced the compromise to a chained GitHub Actions attack. The sequence: exploit the pull_request_target trigger in GitHub Actions workflows, poison the GitHub Actions cache, then extract an OIDC token from the GitHub Actions runner process at runtime. The OIDC token is the credential that GitHub uses to attest provenance — by extracting it from the build process itself, the attacker could publish packages with valid provenance that pointed to the legitimate repository and build workflow.
This is not a brute-force attack or a credential theft. It is a logic attack against the attestation infrastructure itself. The attacker did not steal the developer's password. They did not compromise the npm account. They exploited the build pipeline that creates the provenance attestation — making the defense mechanism itself the attack vector.
OpenAI's Disclosure
OpenAI published a response confirming that two employee devices were affected by the TanStack supply chain attack. The company forced macOS updates across affected systems. This disclosure is significant not because OpenAI is uniquely vulnerable, but because it demonstrates the blast radius: even organizations with dedicated security teams and presumably sophisticated defenses installed compromised packages through routine dependency updates.
TeamPCP's Escalating Campaign
The Shai-Hulud worm is attributed to TeamPCP, a threat actor with an escalating track record in 2026: Aqua Security's Trivy scanner compromised in March, the Bitwarden CLI npm package in April, and TanStack in May. Each attack was more sophisticated than the last. The TanStack attack introduced two capabilities no prior supply chain attack had demonstrated: defeating provenance attestation and self-propagating across package ecosystems (npm and PyPI simultaneously).
The self-propagation mechanism is what gives the attack its name. Like the sandworms of Dune, Shai-Hulud moves through the substrate — in this case, the dependency graph. A compromised package infects projects that depend on it. Those projects, when published, carry the infection to their own dependents. The worm spreads through the supply chain without requiring additional attacker action.
What This Means for Every Modern Framework
Every modern JavaScript framework — Next.js, Nuxt, Remix, Astro, SvelteKit — depends on npm packages. TanStack Router is a common dependency in React applications. The compromise reached into codebases that had no direct relationship with TanStack's development team. This is the defining characteristic of supply chain attacks: the victim did not make a mistake. They installed a dependency, as every modern application does, and the dependency was compromised.
SLSA provenance was supposed to be the defense. With provenance defeated, the npm ecosystem currently has no automated mechanism to distinguish a legitimate package update from a supply chain attack. The next line of defense is behavioral analysis — tools like Socket.dev that analyze what a package does rather than where it claims to come from. But behavioral analysis is not yet standard in most CI/CD pipelines.


