1004: TanHacked artwork

1004: TanHacked

Syntax - Tasty Web Development Treats

May 13, 2026

Scott and Wes break down the “Mini Shai-Hulud” supply chain attack that compromised TanStack and other popular npm packages through a clever GitHub Actions cache poisoning exploit; a self-propagating worm that stole credentials and persisted through Claude Code hooks and VS Code tasks.
Speakers: Wes Bos, Scott Tolinski
**Wes Bos** (0:00)
TanStack got TanHacked. Versel got their walled garden penetrated. After stealing content for years, Udemy got their content stolen. Lovable, they got their vibes snatched. And now, NPM and PiPi have been hit with a major supply chain attack targeting several popular JavaScript and Python packages.
This is Shy-La-Boof. I mean, Shy-Helude, which is the latest worm in a series of Shy-Helude worms. The original Shy-Helude worm showed up back in September 2025, which feels like a century ago at this point.
And where malicious versions of multiple popular packages were published to NPM, they contained the post-install script that harvested sensitive data and sent it to GitHub public repos named Shy-Helude. So that's why we have the name Shy-Helude here. I also think that's a Star Wars thing. Shy-Helude.

**Scott Tolinski** (1:03)
That's a sick hardcore band. If you're into hardcore music, look up Shy-Helude Sick Band.

**Wes Bos** (1:10)
It's actually from the movie Dune, by the way, in case you were wondering. We're just going to run through pissing off people here. The new Shy-Helude 2 dropped in November 2025, and Post-Hog got their hog posted, and Zapier got zapped, and Postman also got their hog posted with the new Shy-Helude. Then it struck again as Shy-Helude 3 in December of 2025 Now, I don't know why they don't call this one Shy-Helude 4.0, but this is mini Shy-Helude. Yes, this is mini Shy-Helude. Yes, right. It is mini. It's a little mini worm.
West Shy-Helude is a worm in Dune, just in case you want to get the reference if you've never seen the Dune movie, which I assume sounds dumb.

**Scott Tolinski** (2:00)
This is insane. We're going to go through what happened, how it happened, what did it do and how you can protect yourself. But like, man, I'm tired. This seems to be happening every single day. And how it happened is actually nuts. So what happened? The publishing sequence of TanStack, all of the TanStack packages along with several other packages in the ecosystem were compromised and they were able to publish a new update of the package that then had like a post install script in it. And then that went in and harvested credentials. But how it actually happened, this was not like some maintainer got his like password stolen or something was run on their computer and it lifted credentials. How it actually happened was was absolutely not. So what happened was GitHub actions have caches. And when you send in a pull request to a repo, that repo may have several GitHub actions that are in there. So in the case of TanStack, they had ones that would check the bundle size, make sure you're not accidentally sending in a pull request that's making the bundle size much bigger. And then there was other ones that would like check speed. You know, there's often there's things that will simply just run every single time that someone sends in a pull request. And then there's other ones that are a little bit more elevated, which is like you don't actually want to...
Like for example, if someone were to pull request against a Syntax website, we would have to approve that before it actually did a pull request deployment because they could be sending in code that would do malicious stuff.
But what happened here is they took advantage of the fact that these GitHub actions have a shared cache. And I guess when you're making a GitHub action, there is a pull request. You can either have a pull request hook or a pull request target. And when you use pull request target, they then have a shared cache between other ones. And this took advantage of that by poisoning the PNPM store directory. So it built a brand new thing. And then it took its malicious code and injected it into the PNPM store in a place where when something legitimate was merged, that the sort of the elevated release.yml workflow would run, it would know to actually look up this thing and run it. So they poisoned the PNPM store cache, and then turns out they just deleted all the code and then closed the repo. But that PNPM store cache was still poisoned. Then when a legitimate thing was merged, the release GitHub action was run and it looked it up, it had the poisoned cache and it ran this script that was in there.
That then failed. However, in the cleanup code of it failing, it was able to capture what's an OIDC token, essentially just like a JSON Web Token for NPM. And then that was how they were able to then capture a legitimate NPM published token that can then be used to publish anything. Once you have that, then you can go ahead and publish more compromised software straight to NPM, which is nuts. I'll say this again, this was not somebody getting any of their credentials stolen at all. It was simply just somebody using the fact that they realized the pull request target was a potential target, right?

15 more minutes of transcript below

Feed this to your agent

Try it now — copy, paste, done:

curl -H "x-api-key: pt_demo" \
  https://spoken.md/transcripts/1000651996090

Works with Claude, ChatGPT, Cursor, and any agent that makes HTTP calls.

From $0.10 per transcript. No subscription. Credits never expire.

Using your own key:

curl -H "x-api-key: YOUR_KEY" \
  https://spoken.md/transcripts/1000767566687