How to Check for Impacted TanStack Packages in Your SBOM

On May 11, 2026, a sophisticated supply chain worm named `Mini Shai-Hulud` targeted the TanStack Router framework, a crucial component of the React ecosystem, by injecting malicious code into ten official releases of @tanstack packages within a brief six-minute period. Unlike typical supply chain attacks, this worm autonomously spreads by stealing GitHub tokens, npm tokens, and CI/CD secrets from affected projects to compromise additional packages. Detected by Stepecurity's OSS Package Security Feed, this ongoing attack undermines the fundamental trust in CI/CD pipelines by masquerading as legitimate releases, with the worm's payload silently exfiltrating credentials during the npm install phase. The rapid propagation and lack of required user interaction make Mini Shai-Hulud particularly dangerous, as it leverages harvested npm tokens to publish further compromised packages. The incident highlights the need for vigilance and the importance of tools like Arnica, which helps organizations identify affected packages and manage their exposure by analyzing their software bill of materials (SBOM) to track compromised versions.