TL;DR: On May 11, 2026, 84 malicious versions across 42 @tanstack/* packages were live on npm for ~20 minutes. No npm tokens were stolen. No accounts were compromised. The attacker hijacked TanStack's own GitHub Actions release pipeline using three chained vulnerabilities and published malware through the project's trusted OIDC identity. If your CI ran npm install on May 11, treat every secret it had access to as stolen. The Router Package Powering 12 Million Projects Just Got Weaponized @tanstack/react-router has over 12.7 million weekly downloads . It's in production React apps across the world, from solo founders shipping MVPs to enterprise teams running critical infrastructure. On the evening of May 11, 2026, it became a credential-stealing worm. This was not a theoretical supply chain risk. This was live malware, published through a cryptographically valid, SLSA-attested release pipeline , that ran silently in CI environments and self-propagated to every other npm package its victims maintained.…