Cybercriminals Abuse Tanstack Package To Target Developer Environments

A dangerous new supply chain attack has hit the developer community. A malicious threat actor registered the name “tanstack” on the npm registry, pretending to be part of the popular TanStack software project.

However, instead of downloading the advertised helpful video player tool, developers who installed this fake package had their sensitive environment files stolen almost instantly.

How the Fake Package Steals Data

The real TanStack project, known for tools like TanStack Query, uses scoped names like @tanstack/query and safely receives millions of weekly downloads.

The attacker exploited the unused, regular “tanstack” name. They built a fake product called “TanStack Player” to look legitimate, complete with fake sponsorship badges, download counters, and code examples.

On April 29, 2026, the attacker released four quick updates (versions 2.0.4 through 2.0.7) in under 30 minutes.

{
  "package": "tanstack",
  "version": "2.0.x",
  "event": "postinstall",
  "readme": "<contents of .env>",
  "agents": "<contents of .env.local>",
  "timestamp": "...",
  "node": "v22.x.x",
  "platform": "linux",
  "arch": "x64"
}

These versions included a hidden script called a postinstall hook. This script runs silently and automatically as soon as a developer types the install command.

Once running, the script quietly searches the developer’s computer for environment files, such as .env and .env.local.

These files usually contain highly sensitive secrets, including AWS cloud keys, database passwords, and API tokens for services such as OpenAI or Stripe.

To avoid being blocked by standard security firewalls, the stolen data is sent to a legitimate third-party service called Svix.

The attacker abused Svix’s webhook feature to receive the stolen files. By reviewing the version history, researchers noticed that the attacker was actively testing the malware in real time.

In version 2.0.6, the attacker updated the script to sweep for every possible environment file, including production and staging setups, ensuring maximum theft.

Steps To Detect and Fix the Issue

If you or your automated systems accidentally installed this fake package, you must act fast. Any environment file in your folder during the installation was likely exposed.

First aikido, check your project history. Search your package-lock.json, yarn.lock, or pnpm-lock.YAML files for the unscoped “tanstack” package. You need to look specifically for versions 2.0.4, 2.0.5, 2.0.6, or 2.0.7.

If you find any of these versions in your logs, you must assume your secrets are already in the hands of the attacker. You should immediately:

• Rotate all credentials stored in your .env files.
• Change your cloud service keys and check logs for unauthorized access.
• Revoke and reissue GitHub access tokens and npm publish tokens.
• Update database passwords and third-party API keys.

Simply deleting the malicious package from your computer is not enough, because the files have already been copied and sent. There are no remaining viruses to clean up, but the stolen data remains a critical risk.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Cybercriminals Abuse Tanstack Package To Target Developer Environments appeared first on Cyber Security News.