This article is based on public reporting available as of 2026-05-13. Mini Shai-Hulud is still an actively tracked campaign, so affected packages and IOCs (indicators of compromise) may change. In May 2026, a supply-chain compromise was reported across TanStack's npm packages. Malicious versions were published for 42 @tanstack/* packages, and installing those versions triggered a credential stealer. If you look only at TanStack, the incident can seem like a single npm compromise. But when you read The Hacker News coverage and the analyses from StepSecurity and Socket, it is better understood as part of a broader self-propagating supply-chain campaign called Mini Shai-Hulud . The important point is that this was not just "a dependency package was compromised." It was closer to a worm that used developer machines and CI/CD environments as stepping stones to reach the next maintainer and the next package ecosystem .…