International Cyber Digest reported that the TanStack npm attack has "turned into a full campaign," with a "Mini Shai-Hulud" variant apparently spreading to OpenSearch, Mistral AI, Guardrails AI, UiPath and Squawk packages across npm and PyPI.
The supply-chain attack uses a dead-man's switch: the payload plants a watcher on a machine that wipes the home directory after the GitHub token it stole is revoked.
The compromise initially affected 42 official tanstack npm packages and now spread to more than 400 npm and pypi packages, according to another post on X, with a full list linked in the thread.
It's particularly worth noting that the malware targets AI developer tooling and can hook into Claude Code via .claude/settings.json and VS Code via .vscode/tasks.json, causing the payload to rerun on tool events even after the infected package has been removed. As several replies stated, npm uninstall would not solve the problem because persistence appears to live in those config files rather than in the package itself.
The Timeline
The attacker allegedly forked TanStack's repository and pushed a single hidden commit. From there, TanStack's own release system was tricked into signing the malicious packages as if they were legitimate. To npm, and to anyone checking the cryptographic proof of origin, the compromised versions appeared legitimate.
Maintainer Tanner Linsley confirmed that the full team had 2FA enabled but, that made no difference. The attack is being described as the first documented npm worm in history to ship with a valid, signed certificate of authenticity, the kind defenders rely on to verify that a package was not tampered with.
Andrey Karpathy's Software Horror: litellm compromised too
Separately, Andrej Karpathy’s post on X drew attention after he described a "software horror" involving a purported LiteLLM PyPI supply-chain attack. He claimed that a simple pip install litellm could have exposed SSH keys, cloud credentials, Kubernetes configs, git credentials, environment variables, shell history, crypto wallets, SSL private keys, CI/CD secrets and database passwords.
Karpathy also asserted that LiteLLM receives "97 million downloads per month" and warned that the risk could spread to downstream projects that depend on it. As one example, he pointed to dspy, which had depended on litellm>=1.64.0, suggesting that a package pulled in as a transitive dependency could still expose a machine to the same attack.
He further stated that the poisoned version may have been available for "less than ~1 hour" and was discovered after an MCP plugin inside Cursor pulled in LiteLLM as a transitive dependency and caused a RAM crash. According to Karpathy, that bug may have prevented a longer undetected run.
As Karpathy put it, the episode may prompt a rethink of dependency-heavy development: developers may become more reluctant to rely on packages and instead prefer to use LLMs to "yoink" functionality when tasks are simple enough.
Sources: International Cyber Digest, Rohan Mukherjee's post, Andrej Karpathy's post