What Happened
Between 19:20 and 19:26 UTC on May 11, 2026, the Mini Shai-Hulud worm published 84 malicious versions across 42 @tanstack/* npm packages. TanStack is a widely used collection of open-source libraries — including TanStack Query, TanStack Router, and TanStack Table — with tens of millions of weekly downloads. Within 48 hours, the campaign expanded to 172 packages and 403 malicious versions spanning both npm and PyPI, also hitting Mistral AI’s Python SDK and UiPath libraries.
The worm, attributed to TeamPCP by multiple security researchers at Wiz, Orca Security, and CyberScoop, uses compromised developer credentials and CI/CD pipeline tokens to authenticate as legitimate publishers, giving the malicious packages valid provenance signatures. The payload harvests environment variables, cloud credentials, SSH keys, and developer secrets from build environments where the packages are installed.
OpenAI disclosed that two of its employees’ corporate devices ran affected TanStack packages during the exposure window, resulting in internal credential compromise. OpenAI responded by rotating code-signing certificates for its macOS desktop applications — including the ChatGPT app — which requires all macOS users to install an updated version to continue using the apps. OpenAI confirmed that no user data, production systems, or intellectual property was accessed or modified, according to its published response and reporting from The Hacker News and BleepingComputer. The malicious package versions were removed, and npm and PyPI have both taken action.
Why This Matters for Canadian Organizations
Canadian software development teams, SaaS companies, and cloud operators are among the heaviest consumers of open-source JavaScript and Python ecosystems. TanStack libraries are found in React-based frontend applications across the financial services, healthcare, government digital services, and education sectors. Any development environment or CI/CD pipeline that installed a @tanstack/* package between May 11 and May 13, 2026, should be treated as potentially compromised until confirmed otherwise.
TeamPCP has now executed multiple high-profile supply chain attacks against Canadian-relevant targets in 2026 — Trivy, LiteLLM, Checkmarx KICS, PyTorch Lightning, and now TanStack. The pattern is consistent: valid publisher credentials are obtained through earlier credential theft, malicious versions are published with working provenance signatures, and the worm propagates by harvesting new credentials from CI/CD environments it infects. Canadian DevOps teams relying on automated npm and PyPI installs without package integrity verification face ongoing structural exposure.
Under PIPEDA and OSFI Guideline B-13, organizations that experience a software supply chain compromise leading to credential theft must assess whether personal information or systems subject to regulatory obligations were accessible from the affected environment. If CI/CD pipelines touching production databases, customer data, or regulated systems ran affected packages, a formal breach assessment is warranted.
What to Do
Audit your package.json and requirements.txt files — and any lockfiles — for @tanstack/* versions published between May 11 and May 13, 2026. Cross-reference against the published list of affected versions from Wiz and Orca Security. If affected versions were installed, rotate all credentials, tokens, API keys, and SSH keys accessible from that build environment. Check your CI/CD pipeline logs for any outbound connections to unexpected endpoints during the exposure window. Enable npm provenance verification and consider adding package integrity checks to your pipeline. OpenAI macOS app users must update their desktop apps immediately to receive the new signing certificates.
