Massive Supply Chain Breach Hits 84 npm Packages in TanStack Ecosystem
A sophisticated supply chain attack compromised 84 npm packages within the widely used TanStack ecosystem, including high-profile libraries like React Router (12M+ weekly downloads). The breach, part of the Mini Shai-Hulud malware campaign, targeted continuous integration (CI) environments such as GitHub Actions, injecting a credential-stealing tool designed to evade detection.
Security firm Socket detected the malicious packages within six minutes of publication using an AI-powered scanner. The attack extended beyond npm, infecting Python packages like OpenSearch, Mistral AI, Guardrails AI, and UiPath. A message left by the attackers signed TeamPCP confirmed they had been exfiltrating developer credentials for hours during the investigation.
Attack Mechanics
The malware, embedded in an obfuscated script (router_init.js), acted as a self-propagating worm. Key tactics included:
- Stealth Execution: Detached from terminal sessions, running silently in the background.
- Credential Harvesting: Targeted GitHub Actions tokens, AWS metadata, Kubernetes certificates, and HashiCorp Vault clusters.
- Persistence: Hid copies in VS Code and Claude AI config directories, ensuring reinfection on workspace reopening.
- Exfiltration: Used the Session peer-to-peer network to blend stolen data with encrypted messaging traffic.
The attack leveraged a malicious optionalDependencies block in package.json, pointing to a compromised GitHub commit. During npm install, a prepare lifecycle hook executed tanstack_runner.js, triggering the payload.
Chained GitHub Actions Exploit
TanStack’s postmortem revealed the breach stemmed from a chained attack on their GitHub Actions pipeline. Attackers exploited a vulnerable pull request target pattern, poisoning the workflow cache to execute malicious code. Instead of stealing static npm tokens, they extracted runtime OpenID Connect tokens from runner memory, enabling legitimate authentication to push compromised updates.
Response & Indicators of Compromise (IOCs)
TanStack deprecated affected versions, purged workflow caches, and implemented stricter repository protections. Key IOCs include:
- Malicious Files:
router_init.js(SHA256:ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c)tanstack_runner.js(SHA256:2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96)
- Network Targets:
hxxp://filev2[.]getsession[.]org/file/(Session P2P exfiltration)- AWS metadata endpoints (
169.254.169.254,169.254.170.2) - GitHub API (
api.github.com/repos/) and npm token validation endpoints.Source: https://gbhackers.com/84-npm-packages-tanstack-hit-by-supply-chain-breach/
Guardrails AI TPRM report: https://www.rankiteo.com/company/guardrails
TanStack TPRM report: https://www.rankiteo.com/company/tanstack
OpenSearch TPRM report: https://www.rankiteo.com/company/opensearch-project
React Router TPRM report: https://www.rankiteo.com/company/tanstack
Mistral AI TPRM report: https://www.rankiteo.com/company/mistralai
UiPath TPRM report: https://www.rankiteo.com/company/uipath
"id": "misuipopetangua1778567093",
"linkid": "mistralai, uipath, opensearch-project, tanstack, guardrails",
"type": "Breach",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '12M+ weekly downloads (React '
'Router alone)',
'industry': 'Technology',
'name': 'TanStack',
'type': 'Software Development'},
{'customers_affected': '12M+ weekly downloads',
'industry': 'Open Source Software',
'name': 'React Router',
'type': 'npm Package'},
{'industry': 'Technology',
'name': 'OpenSearch',
'type': 'Python Package'},
{'industry': 'Artificial Intelligence',
'name': 'Mistral AI',
'type': 'Python Package'},
{'industry': 'Artificial Intelligence',
'name': 'Guardrails AI',
'type': 'Python Package'},
{'industry': 'Automation',
'name': 'UiPath',
'type': 'Python Package'}],
'attack_vector': 'Malicious npm packages, GitHub Actions pipeline exploit',
'data_breach': {'data_exfiltration': 'Yes (via Session P2P network)',
'personally_identifiable_information': 'Developer credentials',
'sensitivity_of_data': 'High (authentication tokens, '
'infrastructure secrets)',
'type_of_data_compromised': ['GitHub Actions tokens',
'AWS metadata',
'Kubernetes certificates',
'HashiCorp Vault clusters',
'Developer credentials']},
'description': 'A sophisticated supply chain attack compromised 84 npm '
'packages within the widely used TanStack ecosystem, including '
'high-profile libraries like React Router (12M+ weekly '
'downloads). The breach, part of the Mini Shai-Hulud malware '
'campaign, targeted continuous integration (CI) environments '
'such as GitHub Actions, injecting a credential-stealing tool '
'designed to evade detection.',
'impact': {'brand_reputation_impact': 'High (affected widely used libraries '
'like React Router)',
'data_compromised': 'GitHub Actions tokens, AWS metadata, '
'Kubernetes certificates, HashiCorp Vault '
'clusters, developer credentials',
'identity_theft_risk': 'High (developer credentials and PII '
'exfiltration)',
'operational_impact': 'Compromised software supply chain, '
'potential reinfection via config '
'directories',
'systems_affected': 'CI/CD pipelines (GitHub Actions), npm '
'packages, Python packages (OpenSearch, '
'Mistral AI, Guardrails AI, UiPath)'},
'initial_access_broker': {'backdoors_established': 'VS Code and Claude AI '
'config directories',
'entry_point': 'GitHub Actions pipeline, malicious '
'npm packages',
'high_value_targets': 'CI/CD environments, '
'developer credentials'},
'investigation_status': 'Ongoing (malware campaign active during '
'investigation)',
'motivation': 'Credential harvesting, data exfiltration',
'post_incident_analysis': {'corrective_actions': 'Stricter repository '
'protections, purged '
'workflow caches, deprecated '
'affected versions',
'root_causes': 'Vulnerable GitHub Actions pull '
'request target pattern, malicious '
'optionalDependencies in '
'package.json, prepare lifecycle '
'hook execution'},
'references': [{'source': 'Socket Security Firm'},
{'source': 'TanStack Postmortem'}],
'response': {'containment_measures': 'Deprecated affected versions, purged '
'workflow caches',
'enhanced_monitoring': 'AI-powered scanner (Socket)',
'remediation_measures': 'Stricter repository protections, '
'removal of malicious packages',
'third_party_assistance': 'Socket (security firm)'},
'threat_actor': 'TeamPCP',
'title': 'Massive Supply Chain Breach Hits 84 npm Packages in TanStack '
'Ecosystem',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Vulnerable pull request target pattern in GitHub '
'Actions, malicious optionalDependencies in '
'package.json, prepare lifecycle hook execution'}