The Mini Shai-Hulud Worm: How TeamPCP Poisoned GitHub Actions to Forge SLSA Provenance
7 min read
On May 11, 2026, TeamPCP hijacked TanStack's release pipeline using GitHub Actions cache poisoning and OIDC token memory scraping to forge SLSA Build Level 3 provenance.
·7 min read