How to read an advisory
Each advisory carries one of the following statuses:| Status | Meaning |
|---|---|
| Investigating | Para is aware of the event and is actively assessing potential impact. |
| Resolved — No Impact | Assessment complete. No Para systems, build artifacts, or shipped SDKs were affected. |
| Resolved — Action Taken | Assessment complete. Para was affected to some degree and has remediated; the entry describes what we did and any action customers should take. |
Advisories
Status: Resolved — No ImpactSummary: On May 11, 2026, an attacker published 84 malicious versions across 42
@tanstack/* npm packages. The compromise was part of the self-propagating “Mini Shai-Hulud” worm that affected 160+ npm and PyPI packages across multiple organizations, and was carried out via GitHub Actions cache poisoning and theft of an OIDC publishing token rather than stolen npm credentials. See the for the full technical write-up.Para’s assessment: Para’s Web SDK depends on several @tanstack/* packages, so we reviewed our exposure immediately. Para pins exact resolved dependency versions in committed lockfiles, and none of the compromised versions were ever resolved or installed in our builds or CI. No Para systems, build artifacts, or published SDK releases were affected.Customer action: None required to continue using Para. If you install @tanstack/* packages directly in your own application, we recommend auditing your lockfiles against the affected versions listed in the postmortem.Para updates this page as new ecosystem events are assessed. To report a suspected security issue or ask about a specific advisory or CVE, contact .