Question: Is TAP (Tanzu Application Platform) vulnerable to Shai-Hulud Attack?

None of the TAP components are vulnerable to the NPM malware attack. 

Question: How to detect the attack?

You can follow this KB to configure trivy/grype scanning to scan the npm packages to detect the attack.

Steps to configure trivy/grype scanning to detect the attack:

1. Installing Scanning to a tap cluster so software is scanned by trivy/grype (Refer to Install Supply Chain Security Tools - Scan 2.0 in a cluster)
2. Trivy can be used to scan npm packages (setting up trivy) - which will alert on usage of compromised npm package in deliverable software