MAL-2026-3462: Malicious code in @tanstack/eslint-plugin-start (npm)
The npm package @tanstack/eslint-plugin-start versions 0.0.4 and 0.0.7 contain malicious code introduced by the TeamPCP threat actor as part of the "Mini Shai-Hulud is back" worm. This malware steals…
Read the full articleYou might also wanna read

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistra

Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account
A compromised npm maintainer account triggered an automated burst of over 300 malicious package versions across 323 packages in the AntV dat
317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.
Shai-Hulud: Largest npm Supply-Chain Compromise Affecting CrowdStrike and Hundreds of Packages
We are tracking the largest and most dangerous npm supply-chain compromise in history, known as the Shai-Hulud malware campaign, which has n

"A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages
A new npm supply chain attack self-branded "Mini Shai-Hulud" compromised four SAP-ecosystem packages on April 29, 2026. Snyk has live adviso
GitLab Identifies Large-Scale npm Supply Chain Attack with Destructive Malware
Malware driving attack includes "dead man's switch" that can harm user data.

Comments
Sign in to join the conversation.
No comments yet. Be the first.