@Tanstack/React-Router

The Mini Shai-Hulud supply chain campaign, attributed to TeamPCP, has compromised several npm packages, including those within the @tanstack, @uipath, and @mistralai namespaces, leading to credential theft and potential further compromise.

On 2026-05-11, multiple malicious versions of `@tanstack/*` packages were published to the npm registry due to a chained attack exploiting vulnerabilities in GitHub Actions; the attacker used a compromised GitHub Actions OIDC trusted-publisher binding to publish credential-stealing malware that harvests credentials, exfiltrates data, and propagates the compromise by republishing other packages with the same injection, requiring users who installed affected versions to consider their environment compromised and rotate all credentials.