TanStack hit by network compromise
Incident
Summary
Hide ▲
Show ▼
TanStack was hit by a package compromise on May 11, 2026, when attackers published 84 malicious versions across **42 @tanstack/* packages and abused the release path so downstream installs could run attacker code. The broader Mini Shai-Hulud campaign used those packages to target CI/CD environments and steal tokens, and later reporting linked Grafana Labs’ GitHub breach and code theft to the same activity. Grafana said the attacker accessed its GitHub environment, downloaded its codebase, and took some internal operational information, while stating there is no indication customer production systems or the Grafana Cloud** platform were compromised.
Related Happenings
Malicious npm and PyPI payment SDK typosquat packages
Malware Activity
H score40
First: 09.07.2026 18:09
Last: 09.07.2026 18:09
Sources 1
About this happening:
The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
Malicious npm and PyPI payment SDK typosquat packages
Malware ActivityAbout this happening: The **17 malicious npm and PyPI packages** targeted **Paysafe, Skrill, and Neteller SDKs** to steal **system information** and **developer secrets**, then send the data to an **Ng...
North Korean Contagious Interview PolinRider supply-chain campaign
Campaign
H score51
First: 04.07.2026 14:17
Last: 04.07.2026 14:17
Sources 1
About this happening:
The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
North Korean Contagious Interview PolinRider supply-chain campaign
CampaignAbout this happening: The **Contagious Interview / PolinRider** campaign is still active, with **108 unique packages and browser extensions** published across **npm, Packagist, Go, and Google Chrome**....
Codfish/semantic-release-action hit by network compromise
Incident
H score21
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Codfish/semantic-release-action hit by network compromise
IncidentAbout this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware Activity
H score36
First: 26.06.2026 14:05
Last: 26.06.2026 14:05
Sources 1
About this happening:
The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
Mini Shai-Hulud / Miasma / Hades multi-ecosystem supply-chain malware activity
Malware ActivityAbout this happening: The **Mini Shai-Hulud / Miasma / Hades** malware activity added **malicious npm releases**, **GitHub Actions workflow abuse**, and a related **Go module compromise**, increasing t...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/Service
H score11
First: 23.06.2026 17:22
Last: 23.06.2026 17:22
Sources 1
About this happening:
GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
GitHub actions/checkout blocks fork pull request checkouts by default in privileged workflows
Security Tool/ServiceAbout this happening: GitHub's **actions/checkout** now refuses common **pwn request** patterns by default, cutting the risk of attacker-controlled code execution in privileged **GitHub Actions** workf...
Timeline
-
21.05.2026 11:00 1 articles · 1mo ago
Grafana Labs reports GitHub codebase theft after TanStack-linked compromise
Victim Impact UpdateOn May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Show sources
- Grafana Labs Says Code Breach Stemmed from TanStack Attack — www.infosecurity-magazine.com — 21.05.2026 11:00
-
12.05.2026 17:45 2 articles · 1mo ago
TanStack hit by network compromise
Initial DisclosureThe initial compromise appeared on **May 11, 2026**, when malicious versions were published across **42 @tanstack/* packages** within minutes. Early evidence showed the release pipeline was abused to seed installer-executed payloads into downstream environments.
Show sources
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45
- Mini Shai-Hulud Hits TanStack npm Packages — www.infosecurity-magazine.com — 12.05.2026 17:45