Mini Shai-Hulud Malware Infiltrates Hundreds of Open-Source Packages, Including TanStack React Router

A sprawling supply-chain attack has embedded credential-stealing malware into hundreds of open-source software packages distributed through major registries, security researchers warned. The campaign, dubbed "mini Shai-Hulud," targets development tools with massive user bases, placing malicious code within reach of development teams across countless enterprise environments.

The attack struck several prominent libraries, including TanStack, UiPath, and MistralAI. TanStack's React Router package alone generates more than 12 million weekly downloads, meaning the compromised code has likely propagated deep into the software supply chains of modern applications. According to a company blog post, TanStack's security teams have removed all affected versions from the registry. While investigators found no evidence that registry credentials were exfiltrated, the full scope of exposure remains under review.

Security experts are urging any developer who downloaded the implicated tools on Monday to immediately rotate all connected credentials, including those for Amazon Web Services, Google Cloud, and GitHub. The incident underscores a systemic weakness in automated software publishing pipelines, where compromised build or publish steps can silently inject malicious code into trusted packages. Analysts note that the attack's precision—targeting high-velocity libraries with deep downstream reach—reflects a growing sophistication among threat actors exploiting the open-source ecosystem's trust model.