<![CDATA[(socket.dev) Large-Scale npm Supply Chain Attack Targets TanStack Packages with Credential-Stealing Malware]]>

<![CDATA[(socket.dev) Large-Scale npm Supply Chain Attack Targets TanStack Packages with Credential-Stealing Malware]]>(socket.dev) Large-Scale npm Supply Chain Attack Targets TanStack Packages with Credential-Stealing Malware

New large-scale npm supply chain attack targets @tanstack packages with credential-stealing malware. 84 compromised packages detected, exfiltrating CI/CD secrets via obfuscated payloads.

In brief - The Mini Shai-Hulud campaign compromised 84 @tanstack npm packages, embedding malware that steals GitHub Actions tokens and environment variables. Over 12M weekly downloads amplify risk to CI/CD pipelines and developer workstations. TanStack has begun mitigation by unpublishing affected versions.

Technically - Attackers inserted heavily obfuscated `router_init.js` into packages, using string-array rotation, control-flow flattening, and spawn-based daemonization to exfiltrate `GITHUB*` env vars. Malicious `tanstack_runner.js` executed via npm `prepare` hook, exploiting orphaned GitHub commits to bypass OIDC token protections. Payload detected within 6 minutes of publication, indicating active monitoring of the attack chain.

Source: https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack

#Cybersecurity #ThreatIntel

]]>https://board.circlewithadot.net/topic/cfad3538-ec8e-4c7a-ad28-9629340644f2/socket.dev-large-scale-npm-supply-chain-attack-targets-tanstack-packages-with-credential-stealing-malwareRSS for NodeFri, 15 May 2026 02:53:38 GMTMon, 11 May 2026 21:03:06 GMT60