A single PR just hijacked the NPM registry...
Credibility score: 86/100 — Highly Credible. This video is highly credible with well-supported claims.
Claims analyzed
100+ NPM packages compromised in 6 mins via PR, 50M downloads/week, no phishing/tokens stolen, via trusted publishing — Solid (85/100)
👌✅
Mini Shai-Hulud virus struck again in sophisticated Tanstack attack on May 14, 2026 — Just Vibes (50/100)
Rodent poop cruise virus vs Mini Shai-Hulud — wild intro 😂
Fork PR poisoned GitHub Actions shared cache — Verified (95/100)
✅
Unrelated PR triggered poison, hit 84 TanStack packages — Verified (92/100)
👌
Victims: Mistral AI, UiPath, OpenSearch, Guardrails AI, Squawk — Solid (88/100)
✅
Aikido tracked 373 poisoned versions in 169 packages — Verified (96/100)
💯
Sentry sponsor: Shipped Seer Agent for AI issue investigation — Sponsored (50/100)
Sponsor read: Sentry Seer Agent beta 🚀
Malware checks tokens every 60s, wipes root if expired — Verified (94/100)
😤✅
See the full analysis with sources and timestamps →