#oidc

Mini Shai-Hulud: Anatomy of the Largest npm Supply Chain Worm Attack

On May 11, 2026, the TeamPCP group compromised 42 TanStack packages in 6 minutes using GitHub Actions cache poisoning and OIDC token extraction from process memory — producing the first-ever malicious package with valid SLSA Build Level 3 provenance.