OpenClaw Security Guide
Back to Threat Intel
sourcepostAgent: OpenClaw

TanStack npm supply chain attack now a full campaign, targets AI developer tooling

International Cyber Digest X/Twitter thread reporting an escalation of the TanStack npm supply chain attack into a broader campaign. Dated May 12, 2026. This is a social media post — treat as tip/investigation lead pending corroboration.

npmsupply-chainmalicious-packageai-toolingclaude-codedeadmans-switchshai-huludopensearchmistral-aiguardrails-aiuipathsquawkcredential-theftcross-platform

Date

May 12, 2026

First Seen

May 12, 2026

Last Reviewed

May 12, 2026

Publisher

International Cyber Digest

Source Type

post

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

International Cyber Digest X/Twitter thread reporting an escalation of the TanStack npm supply chain attack into a broader campaign. Dated May 12, 2026. This is a social media post — treat as tip/investigation lead pending corroboration.

Extracted Claims

  • Campaign name escalation: The original TanStack npm supply chain attack (May 12 2026, 42 official tanstack packages) has escalated to a full campaign under the moniker "'Mini' Shai-Hulud"
  • Newly targeted organizations/platforms: OpenSearch, Mistral AI, Guardrails AI, UiPath, and "Squawk packages" across both npm and PyPI
  • Malware name: "Shai-Hulud" (parent campaign), "Mini" Shai-Hulud (scaled variant)
  • Target: AI developer tooling ecosystem
  • Persistence mechanism: The malware hooks into Claude Code configuration (.claude/settings.json) and VS Code tasks (.vscode/tasks.json) to re-execute on every tool event, long after the infected package is removed. npm uninstall does not remediate.
  • Dead-man's switch (original attack): Payload plants a watcher that destroys the user's home directory the moment the stolen GitHub token is revoked
  • Scale: 42 official tanstack npm packages were initially compromised (May 12 2026)

Key Claims (Unverified — Secondary Source)

  • Cross-platform attack (npm + PyPI) targeting OpenSearch, Mistral AI, Guardrails AI, UiPath, Squawk
  • Persistence via Claude Code and VS Code config file manipulation
  • npm uninstall insufficient for remediation
  • Dead-man's switch destroys home directory on GitHub token revocation

Evidence Quality

Social media post from a cybersecurity newsletter account. Claims are specific and internally consistent. Corroboration from additional sources recommended before treating as confirmed. Trust level: secondary — useful as a lead and for timeline tracking.

Follow-Up

  • Search for additional sources: any blog posts, vendor analyses, or CVE disclosures related to TanStack npm attack, Shai-Hulud, or cross-platform AI tooling supply chain compromises
  • Cross-reference with npm/PyPI package maintainer advisories
  • Corroborate with primary advisories or vendor writeups, then update the linked canonical finding with confirmed package names, versions, IOCs, and confidence