84 npm package artifacts in the TanStack namespace were modified with suspected credential‑stealing malware, researchers at Socket reported — part of a broader supply‑chain assault that touched npm and PyPI packages tied to major developer ecosystems.
Scope: what was changed, when, and who was affected
TanStack said the attacker published 84 malicious versions across 42 @tanstack/* packages on May 11, 2026, between 19:20 and 19:26 UTC. Socket’s analysis described the modifications as targeting continuous integration systems, including GitHub Actions, and noted that at least one affected package, @tanstack/react-router, receives more than 12 million weekly downloads.
The campaign did not begin on May 11. In April, Mini Shai‑Hulud initially targeted SAP‑related packages, and Socket said the activity culminated in its largest wave in mid‑May. Socket also reported additional compromised artifacts beyond TanStack, including OpenSearch npm versions and PyPI packages such as mistralai 2.4.6 and guardrails‑ai 0.10.1, as well as further @squawk packages.
Technique: chained CI abuse — pull_request_target, cache poisoning, and OIDC extraction
TanStack explained the attack “chained the pull_request_target 'Pwn Request' pattern, GitHub Actions cache poisoning and runtime extraction of an OpenID Connect (OIDC) token from runner process memory.” Despite the intrusion, TanStack clarified that “No npm tokens were stolen and the npm publish workflow itself was not compromised.”
Security vendor Wiz added operational detail, saying the payload targets tokens across multiple platforms, including GitHub Actions OIDC, GitLab, CircleCI, AWS, Google Cloud Platform, Azure, Kubernetes, HashiCorp Vault and package registry tokens.
Payload and persistence: router_init.js, @tanstack/setup and a 2.3MB obfuscated payload
The malicious package versions contained a newly added router_init.js file. Socket described the file as a “heavily obfuscated 2.3MB payload” that included daemonization, access to GitHub‑related environment variables, temporary file staging and remote dispatch behavior. Socket also identified an optionalDependencies entry resolving to an orphan commit in the TanStack/router repository that introduced a package named @tanstack/setup and a prepare lifecycle hook, allowing code to execute automatically during installation.
Wiz observed a gh‑token‑monitor daemon running on developer machines that polled GitHub every 60 seconds and could attempt to wipe the user’s home directory if a monitored token was revoked; Wiz said that daemon exited automatically after 24 hours. Wiz additionally reported three exfiltration routes used by the malware: a typosquat domain (git‑tanstack[.]com), a session messenger network, and GitHub API dead drops using stolen tokens.
Supply‑chain attestations and why provenance did not prevent compromise
StepSecurity noted that the compromised packages carried valid SLSA Build Level 3 provenance attestations because the attacker abused a legitimate release pipeline. As StepSecurity put it, “SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended.” In short: a malicious build step can yield an otherwise validly‑attested but harmful package.
What this means for Developers and CI teams, Cloud and platform operators, and Enterprise security
- Developers and CI teams: Any environment that installed an affected version on May 11, 2026 should be treated as compromised, the GitHub Advisory Database warned. It advised rotating credentials reachable from the install process and reviewing cloud audit logs for activity from affected hosts.
- Cloud and platform operators: Wiz’s findings that the payload seeks tokens for AWS, GCP, Azure, Kubernetes and HashiCorp Vault means operators must inspect audit trails for unusual token use and consider emergency rotation of service credentials linked to build and deploy pipelines.
- Enterprise security and procurement: StepSecurity’s observation about SLSA attestations highlights a procurement problem: provenance metadata alone does not guarantee safety. Enterprises will need to pair provenance checks with runtime monitoring and stricter controls on pipeline step integrity.
The Mini Shai‑Hulud wave that hit TanStack underscores a simple but uncomfortable reality: attackers are increasingly focusing on the plumbing of software delivery. The combination of automated CI practices, orchestated token theft, typosquatting and legitimate build pipelines used as vectors means defenders must treat builds and installs as active attack surfaces — and act on the blunt advice already issued by the GitHub Advisory Database: rotate exposed credentials and hunt for post‑compromise activity in cloud logs.
Source: https://www.infosecurity-magazine.com/news/mini-shai-hulud-tanstack-npm/




