This article was originally published on LucidShark Blog . What LucidShark Would Have Caught Before the TanStack Attack Landed The Mini Shai-Hulud worm compromised 84 @tanstack packages in six minutes. Here is exactly what a developer running LucidShark would have seen in their editor before the malicious payload executed. On May 11, 2026, between 19:20 and 19:26 UTC, a threat actor known as TeamPCP published 84 malicious versions across 42 @tanstack/* npm packages. The campaign, dubbed Mini Shai-Hulud, then expanded to 172 compromised packages across npm and PyPI within 48 hours. @tanstack/react-router alone has 12.7 million weekly downloads. This story is on the front page of Hacker News for a reason: the attack succeeded against a project that did everything right. TanStack had 2FA on all maintainer accounts, OIDC trusted publishing instead of long-lived tokens, and signed provenance attestations on every release. The compromised packages still carry valid npm provenance.…