Mini Shai-Hulud worm hits npm supply chain, compromising 160+ packages via GitHub Actions cache poisoning
Mini Shai-Hulud has yet again reportedly compromised 160+ packages, including parts of the TanStack and Mistral ecosystems. The interesting part is the attack path: instead of simple typosquatting, it abused GitHub Actions cache poisoning and trusted publishing/OIDC workflows, making the malicious packages appear legitimately built and published.
u/raptorhunter22 — 1 day ago