Critical · CVSS 10.0 May 11, 2026 · TeamPCP / Shai-Hulud Campaign

Mini Shai-Hulud: TanStack npm Supply Chain Attack

How TeamPCP chained three GitHub Actions vulnerabilities to publish 84 malicious packages with valid SLSA provenance — and compromise OpenAI

On May 11, 2026, the threat actor group TeamPCP executed the most technically sophisticated npm supply chain attack ever documented. In a six-minute window between 19:20 and 19:26 UTC, attackers published 84 malicious versions across 42 packages in the @tanstack/* namespace — without stealing a single long-lived credential. The attack then self-propagated to 169 total packages including Mistral AI's official SDK, UiPath, and OpenSearch, and confirmed the compromise of two OpenAI employee devices. What makes CVE-2026-45321 historically significant is not its scale: malicious packages carried valid SLSA Build Level 3 provenance attestations — a cryptographic guarantee that was supposed to prove a package was built from a trusted source. TeamPCP did not forge these attestations. They hijacked the legitimate build pipeline itself.

169 Packages Compromised

373 Malicious Versions

SLSA BL3 Valid on Malicious Pkgs

6 min Initial Publish Window

"Valid provenance attestations proved that a package was built from a specific workflow — but they could not verify that the workflow itself had not been compromised."

— Key takeaway, TanStack Postmortem, May 11, 2026

Members only

Full technical analysis, attack chain, IOCs, and the defensive checklist are available to registered members — free to join.

Primary sources: TanStack postmortem (May 11, 2026), GHSA-g7cv-rxg3-hmpx / CVE-2026-45321, OpenAI security response, Orca Security technical analysis, ThreatLocker TeamPCP attribution report, SafeDep self-propagation analysis, and Snyk vulnerability report. This advisory is an independent defensive guide produced by Spectreworks AI for educational purposes only and is not affiliated with TanStack, OpenAI, Orca Security, ThreatLocker, SafeDep, or Snyk.