Which threat group is responsible for the npm ecosystem attack in May 2026?

The attack is attributed to the TeamPCP threat group.

How did the worm in the npm ecosystem attack spread so rapidly?

The worm spread by injecting compromised code into build pipelines, producing valid SLSA provenance certificates.

Which packages were affected by the npm ecosystem attack in May 2026?

42 packages from the @tanstack namespace and dozens of other maintainers including Mistral AI, UiPath, and OpenSearch.

What makes the latest wave of npm supply chain attacks unique?

The latest wave is notable for its use of valid SLSA Build Level 3 attestations.

NPM Ecosystem Hit by Supply Chain Attack, TeamPCP Uses Malicious Worm Toolchain

A devastating attack compromised 42 packages from the @tanstack namespace and spread to dozens of other maintainers. The worm produced valid SLSA provenance certificates.

A devastating supply chain attack has struck the npm ecosystem, compromising 42 packages from the @tanstack namespace and spreading to dozens of other maintainers within hours. The attack, attributed to the TeamPCP threat group, is notable for its use of a malicious worm toolchain that hijacked legitimate build pipelines to produce valid SLSA provenance certificates.

The incident began on May 11, 2026, when an attacker created a fork of TanStack's router package under a fake identity. The attacker then added malicious code to the package and used GitHub Actions cache poisoning to inject the compromised code into the build pipeline. The worm was able to produce valid SLSA provenance certificates because it hijacked the legitimate build pipeline itself, rather than stealing credentials or using phishing tactics.

The attack spread rapidly, with 84 malicious versions of TanStack packages being published across two workflow runs in a six-minute window. The compromised packages were not limited to TanStack's own namespace, but also affected dozens of other maintainers, including Mistral AI, UiPath, and OpenSearch. The worm was able to produce valid SLSA Build Level 3 attestations, making it the first documented case of an npm package carrying such certificates.

Background and Context

The TanStack attack is not an isolated incident, but rather the latest wave in a series of npm supply chain attacks using the Shai-Hulud worm toolchain. TeamPCP, the group attributed to this attack, has been linked to previous incidents, including the compromise of Aqua Security's Trivy scanner and the Bitwarden CLI npm package. Each wave of attacks has built on the technical sophistication of its predecessor, with the latest wave using a malicious worm toolchain that hijacked legitimate build pipelines.

The Shai-Hulud worm toolchain has been used in multiple waves of attacks since September 2025, with each wave increasing in scale and complexity. The first wave compromised over 500 packages across 700+ repos, while the second wave affected 492 packages and 132M monthly downloads. The latest wave, attributed to TeamPCP, is notable for its use of valid SLSA Build Level 3 attestations.

Why it Matters to the Industry

The TanStack attack highlights the vulnerability of npm's supply chain to malicious attacks. The fact that a worm was able to hijack legitimate build pipelines and produce valid SLSA provenance certificates raises serious concerns about the security of package dependencies. This incident serves as a reminder that even trusted packages can be compromised, and that developers must remain vigilant in monitoring their dependencies.

The attack also underscores the importance of robust security measures, including two-factor authentication (2FA) and secure coding practices. TanStack's team had 2FA enabled on all accounts, but it did not prevent the attack. This incident highlights the need for more comprehensive security measures to protect against supply chain attacks.

What Comes Next

The npm community has responded quickly to the attack, with TanStack issuing an official all-clear after a three-day full security sweep and hardening pass. The affected packages have been deprecated, and npm security has engaged to pull tarballs from the registry. Developers are advised to rotate every secret accessible from their install host if they installed any affected @tanstack/* version on May 11.

The incident also raises questions about the effectiveness of SLSA provenance certificates in preventing supply chain attacks. While these certificates are meant to verify a package was built from a trusted source, they do not guarantee that the code being built is safe. This highlights the need for more robust security measures and better monitoring of package dependencies.

Key Facts

The attack compromised 42 packages from the @tanstack namespace and spread to dozens of other maintainers within hours.
The worm used a malicious toolchain that hijacked legitimate build pipelines to produce valid SLSA provenance certificates.
TeamPCP, the group attributed to this attack, has been linked to previous incidents, including the compromise of Aqua Security's Trivy scanner and the Bitwarden CLI npm package.
The Shai-Hulud worm toolchain has been used in multiple waves of attacks since September 2025, with each wave increasing in scale and complexity.
Developers are advised to rotate every secret accessible from their install host if they installed any affected @tanstack/* version on May 11.

The TanStack attack serves as a stark reminder of the vulnerability of npm's supply chain to malicious attacks. As the industry continues to grapple with the implications of this incident, it is clear that more robust security measures and better monitoring of package dependencies are needed to prevent such attacks in the future.