Self Checks

• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report (Language Policy).
• Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
• Please do not modify this template :) and fill in all the required fields.

Describe your problem

The attack published malicious versions through the project's own GitHub Actions release pipeline using hijacked OIDC tokens. In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm that produces validly-attested malicious packages. The worm has since spread beyond TanStack to packages from UiPath, DraftLab, and other maintainers.

please see:
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
https://mp.weixin.qq.com/s/AdirdJ_F25IeXXSELx4BWQ