Long-form analyses of supply-chain attacks, infrastructure, and the defenses that hold. By the engineers at Happyberg Labs.https://happyberg.com/en-ushttps://happyberg.com/blog/tanstack-mini-shai-hulud/https://happyberg.com/blog/tanstack-mini-shai-hulud/On May 11, 2026, malicious npm artifacts were signed by TanStack's legitimate OIDC pipeline. Sigstore verified them. Every signature check we built for this case returned green. Here is what happened, what failed, and the one defense that still works.Wed, 13 May 2026 00:00:00 GMTsupply-chainnpmshai-huludtanstackprovenancerelease-age