Shai-Hulud Attack Exposes Tanstack Ecosystem: 80+ npm Packages Backdoored in Supply Chain Breach

Security researchers at Endor Labs have uncovered a sophisticated supply chain attack dubbed "Shai-Hulud," which has compromised over 80 packages within the Tanstack ecosystem. The attack represents a significant intrusion into one of JavaScript's most widely used developer frameworks, raising alarms across the open-source security community. Details of the campaign were published on the Endor Labs blog, with additional coverage surfacing on security aggregation platforms.

The Shai-Hulud operation appears to follow a pattern consistent with dependency confusion and typosquatting techniques, wherein malicious packages are published with names designed to deceive developers into downloading them instead of legitimate libraries. Endor Labs analysts have traced the compromised packages and identified the attack vector, though the full scope of compromised systems remains under investigation. The Tanstack ecosystem—formerly known as Tanned Larsen—powers a range of React state management, routing, and query libraries used in enterprise and startup environments alike.

This incident underscores the persistent vulnerability of the npm registry to supply chain attacks, where trusted package managers become delivery mechanisms for malware. Security teams have been advised to audit their dependency trees, verify package signatures, and implement runtime integrity checks. The Shai-Hulud campaign joins a growing list of high-profile ecosystem breaches, including the recent XZ Utils incident and various typosquatting campaigns targeting Python and JavaScript communities. Endor Labs has urged maintainers to review their publication pipelines and enforce two-factor authentication on publishing accounts.