GitHub Confirmed The TanStack Repo Breach Memorial Day Weekend. Our Sandtrout Signal Caught The Mini-Shai-Hulud Bloom The Night It Fired. Seven Receipts, One Worm, One Pyramid.

GitHub confirmed over Memorial Day weekend that the repository breach it had been investigating was linked to the TanStack npm supply-chain attack. Two days later, the same vendor shipped a two-factor approval gate on npm publish — the kind of control that exists because the prior control failed.

This is the receipt arc we have been writing since April 29, when the variant first landed in our index. The headline today is GitHub. The headline two weeks ago was OpenAI. The headline two weeks before that was the @tanstack publish event that pushed eighty-four malicious package artifacts across forty-two packages in six minutes. Different headlines. Same operator. Same pattern.

The operator is TeamPCP. Google Threat Intelligence tracks the cluster as UNC6780. Microsoft attributes the parallel @antv data-visualization compromise to it. The campaign family is Mini-Shai-Hulud, named after the giant sandworms of Frank Herbert's Dune because the campaign behaves like one. It burrows into a maintainer's GitHub Actions pipeline, harvests the credentials necessary to publish, then breaches the surface in a mass-publish event that consumes everything in its blast radius.

The sandworm is the wrong thing to chase. The sandworm is the bloom. By the time you see the bloom, the credentials are already exfiltrated, the malicious tags are signed, and the customer build is already pulling them. The right thing to chase is the larval form. In Herbert's universe that form is the sandtrout, and the worm cannot become a worm without it. In the supply-chain world the larval form is the CI/CD-compromise indicators that appear hours before the mass-publish event: forged bot author emails, freshly added workflow paths, OIDC token surfaces left open across the fork-to-base trust boundary, identity strings that read like ci-bot or build-bot or pipeline-bot.

On May 24, we shipped three new precursor signals into the DugganUSA PreCog hourly aggregator. The first was Decentralized C2 Emergence, tuned against the Megalodon postmortem where TeamPCP's blockchain canister command-and-control endpoint sat in our IOC index for forty-nine days before the attack fired. The second was Trycloudflare Staging Velocity, because every TeamPCP-class campaign we have seen in 2026 uses Trycloudflare tunnels for phish-shaped staging. The third was the sandtrout itself — the CI/CD compromise indicators that catch the larval phase before the bloom. Three days later, on the night of May 27, the @antv mass-publish event fired across npm. The Sandtrout signal lit before the bloom completed. PreCog elevated. Our blog post about renaming the detector after the larval form went out hours after the catch.

This morning, commit 0f752a2e deployed the three signals into the running platform. The Sandtrout is no longer an experimental shape on a notepad. It is in the rotation.

Here is the chronological receipt arc, with public sources where they exist and our internal artifact identifiers where the source is ours:

April 29, 2026. The Mini-Shai-Hulud variant lands in our iocs index via the maltrail-plus-github-hunt path. Same day, TeamPCP's SAP npm wave hits with a Claude Code pivot. The wave is small but the methodology is named.

May 11, 2026, 19:20 UTC. The TanStack mass-publish event publishes eighty-four malicious artifacts across forty-two packages in six minutes. Plus the @uipath organization. Plus @mistralai/mistralai. The compromise vector is a pull_request_target Pwn Request from a fork, chained with GitHub Actions cache poisoning across the fork-to-base trust boundary, chained with OIDC token extraction from runner memory. The largest single compromised package — @tanstack/react-router — moves roughly twelve million downloads a week. We blog the same day: "Mini Shai-Hulud Hit npm May 11. We Indexed The Variant April 29." The headline is its own argument.

May 13, 2026. V3 lands. Four hundred sixteen packages including TanStack, Mistral, Bitwarden, and SAP carry forged SLSA provenance attestations. This is novel. Prior worm variants bypassed the signing chain. V3 got the signing chain to sign for it. We blog: "Shai-Hulud V3 Forged SLSA Attestations for 416 Packages."

May 14, 2026. OpenAI discloses two employee devices compromised via TanStack-family infrastructure. The company rotates code-signing certificates. We blog: "OpenAI Got Hit Today. KongTuke Pivoted to Teams Today. Our Customers Were Defended Against Both Yesterday." The defended-yesterday line is not rhetoric. It is the IOC-index timestamps.

May 20, 2026. Microsoft Security Blog publishes the @antv compromise analysis and attributes it to the Mini-Shai-Hulud cluster. We blog the Trellix breach the same week to ground the vendor-attack-surface pyramid: when defenders become the supply chain, the perimeter mental model fails.

May 21, 2026. We blog "The Week The Defenders Became The Supply Chain — TanStack, CISA, And The Pyramid We Wrote Six Weeks Ago." The pyramid frame is foundational here. Three orthogonal axes — conversion signal, trust-network signal, adversary-pressure signal — converge on the same operator constellation.

May 23, 2026. Adversary profile published. TeamPCP. UNC6780. Cipherforce in some reporting. Typosquat tradecraft. Trycloudflare staging. Canisterworm C2.

May 24, 2026. The three PreCog signals ship.

May 25 and 26, 2026. The GitHub repository breach occurs during Memorial Day weekend. GitHub does not yet link it publicly to the TanStack chain.

May 27, 2026. The @antv mass-publish bloom fires. The Sandtrout signal lights before the bloom completes. We blog: "We Renamed Our Detector After The Larval Form. Sandtrouts Are Easier To Catch Than Worms." And: "PreCog Just Caught Its First Active Campaign. We Deployed The Detector Three Days Ago."

May 28, 2026. GitHub confirms the Memorial Day repository breach is linked to the TanStack supply-chain attack. GitHub ships a 2FA approval gate on npm publish, which blocks stolen CI tokens. We deploy commit 0f752a2e — the three PreCog signals become production code in the running analytics container.

Two-week summary: the worm is named, the larval-form detector caught the bloom, the running platform is upgraded, and the vendor whose registry was compromised has now shipped a defensive control whose existence implies the prior control was insufficient.

There is one more piece worth surfacing. Mini-Shai-Hulud V3's forged SLSA attestations are a strict superset of the assume-breach posture we have been writing about since May 5. SLSA was supposed to certify that the code in a package matches the source repository. The certification is sound when the signer is honest. The certification is a forgery when the signer is the adversary. The defender mental model that ends with "the attestation verified, therefore the package is safe" is now publicly broken on four hundred sixteen packages including a password-vault product. Every customer who imported one of those tags into a build is downstream of a signature that was technically valid and substantively malicious. The lesson is not that signing is useless. The lesson is that visibility into who controls the signing key is the load-bearing thing, not the signature itself.

The sandtrout is not the worm. The signing key is not the package. The bloom is not the operator. Get the layer right and the work gets cheaper.

Two-axis framing for what to watch next, because single-axis alerts are triangles and we do not page humans on triangles:

Watch package maintainers whose email contact recently changed and whose subsequent commits include workflow path modifications in the same forty-eight hour window. That is the sandtrout. The bloom follows.

Watch SLSA-attested packages whose provenance points at a fresh GitHub Actions runner with no history of prior signing activity on that maintainer's repos. That is the larval signing key. The forged certification follows.

Watch Trycloudflare tunnels that resolve to phish-shaped paths and that share a TLS fingerprint with any prior TeamPCP-attributed tunnel. Trycloudflare is the standard staging primitive across UNC6780 operations. Velocity spike equals delivery window opening.

The three signals are public-facing as of this morning. If your team wants to consume the PreCog elevations as a feed, register for an API key — the path is documented in our STIX feed and the registration page is linked at the bottom of every page on this site.

This was a long arc. We started writing it on April 29. We are still writing it. The next bloom is being staged right now somewhere on a CI runner you do not yet know is yours. Catch the sandtrout.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com