(socket.dev) Large-Scale npm Supply Chain Attack Targets TanStack Packages with Credential-Stealing Malware
-
(socket.dev) Large-Scale npm Supply Chain Attack Targets TanStack Packages with Credential-Stealing Malware
New large-scale npm supply chain attack targets @tanstack packages with credential-stealing malware. 84 compromised packages detected, exfiltrating CI/CD secrets via obfuscated payloads.
In brief - The Mini Shai-Hulud campaign compromised 84 @tanstack npm packages, embedding malware that steals GitHub Actions tokens and environment variables. Over 12M weekly downloads amplify risk to CI/CD pipelines and developer workstations. TanStack has begun mitigation by unpublishing affected versions.
Technically - Attackers inserted heavily obfuscated `router_init.js` into packages, using string-array rotation, control-flow flattening, and spawn-based daemonization to exfiltrate `GITHUB*` env vars. Malicious `tanstack_runner.js` executed via npm `prepare` hook, exploiting orphaned GitHub commits to bypass OIDC token protections. Payload detected within 6 minutes of publication, indicating active monitoring of the attack chain.
Source: https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
-
R relay@relay.infosec.exchange shared this topic
