Critical Supply Chain Attack on TanStack NPM Packages Exposes CI Credentials
Key Takeaways A significant supply chain attack compromised 84 npm package artifacts within the popular TanStack ecosystem. The attack leveraged compromised CI credentials, specifically GitHub...
Key Takeaways
- A significant supply chain attack compromised 84 npm package artifacts within the popular TanStack ecosystem.
- The attack leveraged compromised CI credentials, specifically GitHub Actions, to inject credential-stealing malware into widely used libraries.
- The malicious payload is designed to exfiltrate sensitive credentials, including AWS, GCP, Kubernetes, HashiCorp Vault, GitHub tokens, and SSH keys.
- All affected versions have been deprecated, and a fix is available by updating to clean versions and rotating credentials.
The TanStack development ecosystem, a widely adopted suite of JavaScript tools, has been hit by a critical supply chain attack affecting 84 npm package artifacts. This sophisticated compromise involved the infiltration of continuous integration (CI) systems, specifically GitHub Actions, leading to the publication of malicious versions of popular TanStack libraries containing credential-stealing malware.
Table Of Content
The incident, which saw malicious packages uploaded to the npm registry between approximately 19:20 and 19:26 UTC, poses a severe risk to countless downstream projects that integrate these tools. The payload specifically targeted CI environments, indicating an intent to harvest sensitive operational credentials.
According to research by Socket, the compromise affected 42 distinct TanStack packages, with two malicious versions published for each. Prominent libraries like @tanstack/react-router, which alone boasts over 12 million weekly downloads, were among those impacted. The extensive reach and transitive dependencies of these packages within the JavaScript ecosystem suggest a potentially massive blast radius for this attack.
The severity of this compromise is rated as HIGH. The injected malware is capable of exfiltrating a broad range of critical credentials, including those for AWS, GCP, Kubernetes, and HashiCorp Vault, alongside GitHub tokens, SSH keys, and the contents of .npmrc files.
Each compromised package version contained an illicitly added file named router_init.js, weighing in at approximately 2.3 MB. This file exhibited heavy obfuscation, consistent with the javascript-obfuscator tool. Its characteristics included string-array rotation, hex-encoded identifier lookups (e.g., _0x253b), control-flow flattening through while(!![]){} state machines, and the injection of dead code. This obfuscation technique clearly differentiates it from standard minifiers such as Terser or esbuild.
Functionally, the payload was designed for stealth and persistence. It featured spawn-based daemonization with a _DAEMONIZED re-entrancy guard to prevent multiple executions. It directly accessed GITHUB_* environment variables, including CI tokens and actor identities, to facilitate its operations. The malware also employed a temporary directory for staging, with a full read, write, and unlink lifecycle, and incorporated remote streaming and dispatch mechanisms to exfiltrate the collected secrets.
Attack Chain and GitHub Actions Abuse
The malicious package versions also introduced an optionalDependencies field in their package.json files, pointing to a suspicious standalone commit hash 79ac49eedf774dd4b0cfa308722bc463cfe5885c within the TanStack/router GitHub repository. This commit lacked parent history and solely introduced a package.json and a bundled tanstack_runner.js payload.
A critical element of this attack was the registration of a prepare lifecycle hook in the malicious package.json, executing bun run tanstack_runner.js && exit 1. This command ensured that arbitrary code would run automatically on developer workstations or CI runners during package installation.
TanStack’s own postmortem analysis revealed a sophisticated attack chain involving three distinct GitHub Actions abuse techniques. These included the pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning that exploited the fork-to-base trust boundary, and runtime memory extraction of an OpenID Connect (OIDC) token directly from the Actions runner process. Notably, no npm tokens were compromised in this incident.
Instead, the malicious publishers authenticated to npm via the project’s OIDC trusted-publisher binding. This was achieved after attacker-controlled code executed during the workflow’s test and cleanup phases, enabling the direct publication of the compromised packages to npm.
The malicious commit was attributed to a GitHub account named voicproducoes. Public repositories associated with this account include a project titled “A Mini Shai-Hulud has Appeared,” a phrase previously linked to large-scale npm malware campaigns, strongly suggesting an account takeover.
In response, TanStack has deprecated all 84 affected package versions, issuing a SECURITY warning, and has collaborated with npm security to remove the malicious tarballs from the registry. GitHub Actions cache entries related to the incident have been purged. Furthermore, hardening measures have been implemented, including restructuring the vulnerable workflow, adding repository-owner guards, and pinning third-party action references to enhance security.
What You Should Do
- Any developer who installed a
@tanstack/*package between approximately 19:20 and 19:30 UTC on the day of the attack should immediately consider their host potentially compromised. - Rotate all cloud, GitHub, and SSH credentials that may have been exposed through CI systems or local development environments.
- Thoroughly audit cloud logs for any suspicious or unauthorized activity.
- Reinstall all affected packages from a clean lockfile, ensuring they are pinned to known-good, non-malicious versions.
- Check your
package.jsonfiles for any@tanstack/*package versions containing"@tanstack/setup": "github:tanstack/router#79ac49ee..."in theiroptionalDependenciesfield; these should be considered malicious.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.