TanStack npm Supply-Chain Attack Hacks CI Credentials

A significant supply-chain compromise has impacted the popular TanStack ecosystem, affecting 84 npm package artifacts within its namespace. This attack, which reportedly involved the compromise of continuous integration (CI) credentials, poses a serious threat to downstream projects relying on these widely used development tools.

The malicious versions, published to the npm registry at approximately 19:20 and 19:26 UTC, contain a suspected credential-stealing payload targeting CI systems, including GitHub Actions.

According to Socket, the compromise spans 42 TanStack packages — two malicious versions each including widely used libraries such as @tanstack/react-router, which alone receives over 12 million weekly downloads.

Given how heavily these packages are consumed both directly and transitively across the JavaScript ecosystem, the potential blast radius of this attack is exceptionally large.

Severity is rated HIGH, with the payload capable of exfiltrating AWS, GCP, Kubernetes, and HashiCorp Vault credentials, GitHub tokens, SSH keys, and .npmrc contents.

Every compromised package version contains a newly injected router_init.js file, approximately 2.3 MB in size.

The file employs aggressive obfuscation consistent with the javascript-obfuscator tool, including string-array rotation, hex-encoded identifier lookups such as _0x253b, control-flow flattening inside while(!![]){} state machines, and dead-code injection. This pattern is distinctly different from standard minifiers like Terser or esbuild.

Functionally, the payload features spawn-based daemonization with a _DAEMONIZED re-entrancy guard, direct access to GITHUB_* environment variables including CI tokens and actor identity, temp-directory staging with a full read/write/unlink lifecycle, and remote streaming and dispatch operations designed to exfiltrate harvested secrets.

TanStack npm Packages Hacked

The malicious package versions also introduce an optionalDependencies field in package.json pointing to a suspicious standalone commit hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c in the TanStack/router GitHub repository.

That commit has no parent history and introduces only a package.json and a bundled tanstack_runner.js payload.

Critically, the package.json registers a prepare lifecycle hook executing bun run tanstack_runner.js && exit 1, meaning arbitrary code runs automatically on developer workstations or CI runners during installation.

TanStack’s own postmortem reveals the attack chain involved three chained GitHub Actions abuse techniques: the pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime memory extraction of an OIDC token from the Actions runner process. No npm tokens were stolen.

Instead, malicious publishers were authenticated via the project’s OIDC trusted-publisher binding after attacker-controlled code executed during the workflow’s test and cleanup phase, posting packages directly to npm.

The malicious commit was authored by a GitHub account voicproducoes, whose public repositories include a project named “A Mini Shai-Hulud has Appeared,” a phrase linked to recent large-scale npm malware campaigns, strongly suggesting account takeover.

TanStack has deprecated all 84 affected versions with a SECURITY warning and engaged npm security to pull the malicious tarballs at the registry level.

GitHub Actions cache entries have been purged, and hardening changes have been merged to restructure the vulnerable workflow, add repository-owner guards, and pin third-party action references.

Any developer who installed a @tanstack/* package between 19:20 and 19:30 UTC should treat the host as potentially compromised.

Immediate steps include rotating all cloud, GitHub, and SSH credentials; auditing cloud logs for suspicious activity; and reinstalling from a clean lockfile pinned to a known-good version.

Any package version containing "@tanstack/setup": "github:tanstack/router#79ac49ee..." in its optionalDependencies field should be considered malicious.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.