TanStack packages under investigation amid allegations of supply chain compromise

Security concerns have emerged regarding several recent releases of TanStack NPM packages, with allegations suggesting they may have been compromised. The development team is currently actively investigating the matter and has directed attention to an external report detailing the nature of the threat.

The investigation centres on a specific attack pattern described as "Mini-Shai-Hulud". This self-spreading supply chain attack affects the NPM ecosystem by allowing malicious code to propagate through dependencies. In this scenario, a package modifies its own dependencies or alters other packages within the ecosystem to distribute the malicious payload.

The issue was formally raised on GitHub on 11 May 2026 under Issue #7383 within the TanStack/router repository. While the specific packages affected beyond the general reference to recent releases are not explicitly listed in the available reports, the scope of the concern involves multiple components within the ecosystem.

TanStack is a well-known provider of NPM packages, including the popular router library, making its supply chain a critical node for developers. The NPM ecosystem is frequently targeted by such incidents where malicious code is injected into popular dependencies, creating significant risks for downstream users who rely on these libraries.

At this stage, the claim that packages are potentially compromised remains an allegation under active investigation and has not been definitively confirmed as a breach. The TanStack team has not yet provided a full list of affected software or detailed instructions on immediate remediation steps for end-users.

For those monitoring the situation, the TanStack team is tracking the investigation via GitHub Issue #7383. Further details and findings regarding the attack vector are expected to be shared through the linked external report by StepSecurity.