A sophisticated supply chain attack has compromised 42 TanStack npm packages, deploying credential-stealing malware that exfiltrates AWS, GitHub, and Kubernetes secrets and is now actively linked to ransomware campaigns.
On May 11, 2026, between 19:20 and 19:26 UTC, in just six minutes, threat actors published 84 malicious package versions across 42 @tanstack/* npm packages, marking one of the most technically advanced open-source supply chain compromises ever recorded.
TanStack npm Attack
CISA added the vulnerability, tracked as CVE-2026-45321 (CVSS 9.6), to its Known Exploited Vulnerabilities (KEV) catalog on May 27, 2026, with a remediation deadline of June 10, 2026.
The attack is part of the broader Mini Shai-Hulud campaign, attributed to threat group TeamPCP. It has impacted OpenAI, Mistral AI, GitHub, and over 170 npm and PyPI packages with more than 518 million combined weekly downloads.
What makes CVE-2026-45321 uniquely dangerous is the sophistication of its exploitation chain. The attacker did not steal credentials outright; instead, they hijacked TanStack’s own trusted CI/CD pipeline to publish malware under a legitimate identity.
The attack chained three known GitHub Actions vulnerability classes in sequence:
- Pwn Request (pull_request_target misconfiguration): The attacker forked the
TanStack/routerrepository, opened a malicious pull request that triggered apull_request_targetworkflow, executing attacker-controlled code within the base repository’s privileged context - GitHub Actions cache poisoning: The attacker poisoned the shared
pnpmcache across the fork-to-base trust boundary, injecting malicious binaries that were restored when legitimate maintainer pull requests were later merged - Runtime OIDC token extraction: Attacker-controlled code reads the short-lived OIDC token directly from the GitHub Actions runner’s process memory via
/proc/<pid>/mem, then exchanged it with npm’s federation endpoint to obtain full publish credentials
The result: 84 malicious packages published in under six minutes, all carrying valid SLSA Build Level 3 provenance attestations from Sigstore.
This is a historic first. Organizations relying on npm provenance verification as their primary supply chain control were unable to detect the compromise, since the attacker hijacked the legitimate build pipeline itself rather than a stolen account
Once installed, the malicious payload executes automatically via npm lifecycle hooks; no user interaction is required. The malware immediately harvests:
- GitHub personal access tokens and npm publish tokens
- AWS credentials via IMDSv2, and GCP/Azure credentials
- Kubernetes service account tokens and HashiCorp Vault tokens
- SSH keys, Docker credentials, and over 80 environment variables and filesystem paths
The worm then leverages the stolen credentials to publish poisoned versions of other packages the victim maintains, creating an exponential chain reaction across the npm ecosystem.
Credential exfiltration operates across three redundant channels: the typosquat domain git-tanstack[.]com, GitHub API dead drops using Dune-themed repository names, and the Session messenger decentralized network making C2 significantly harder to disrupt.
A particularly destructive component called gh-token-monitor installs a persistent daemon on victim machines. If the daemon detects that a stolen GitHub token has been revoked, typically the first step in any incident response plan, it executes rm -rf ~/, wiping the entire user home directory.
On macOS, it persists via a LaunchAgent plist at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist; on Linux, via a systemd user service at ~/.config/systemd/user/gh-token-monitor.service.
At least four high-profile organizations have publicly confirmed breaches:
| Victim | Confirmed Impact |
|---|---|
| OpenAI | Two employee devices compromised; code-signing certificates for macOS, Windows, iOS, and Android exfiltrated |
| Mistral AI | SDK packages contaminated; alleged source code listed for sale on BreachForums |
| GitHub | ~3,800 internal repositories breached via a trojanized VS Code extension traceable back to TanStack credential theft |
| European Commission | 90+ GB of data exfiltrated in an earlier related wave (Trivy, March 2026) |
CISA’s KEV listing explicitly confirms the vulnerability is known to be used in ransomware campaigns. Unit 42 (Palo Alto Networks) has documented TeamPCP’s partnership with the Vect ransomware group, indicating the credential-harvesting pipeline directly feeds ransomware initial access operations.
Making matters worse, on May 12, 2026, TeamPCP published the Shai-Hulud worm source code on GitHub under an MIT License, triggering a wave of copycat packages, including typosquats like chalk-tempalte and axois-utils.
Mitigation
CISA mandates remediation by June 10, 2026. Organizations should take the following actions immediately:
- Remove the wiper daemon first Check for
gh-token-monitorat the paths above and delete them before revoking any tokens to avoid triggering home directory deletion - Audit lockfiles and CI logs for any
@tanstack/*versions published between 2026-05-11 19:00 UTC and 2026-05-12 and remove them - Check for persisted payload files in
.claude/,.vscode/tasks.json, and files namedrouter_runtime.jsorsetup.mjsthese survivenpm uninstall - Rotate all credentials on affected machines, including GitHub tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes service accounts, and CI/CD secrets.
- Block C2 infrastructure at DNS/proxy level:
git-tanstack[.]com,*.getsession.org, and83.142.209[.]194 - Upgrade to clean versions of all
@tanstack/*packages published after May 12, 2026, the TanStack team confirms all currently available versions are safe - Harden CI/CD pipelines by replacing
pull_request_targetwithpull_request, pinning GitHub Actions to immutable commit SHAs, and enforcing cache isolation between fork and base workflows
Indicators of Compromise (IOCs)
| Type | Indicator |
|---|---|
| Malicious Domain | git-tanstack[.]com |
| C2 IP Address | 83.142.209[.]194 |
| C2 Network | *.getsession[.]org |
| Persistence File (macOS) | ~/Library/LaunchAgents/com.user.gh-token-monitor.plist |
| Persistence File (Linux) | ~/.config/systemd/user/gh-token-monitor.service |
| Payload Files | router_runtime.js, setup.mjs |
| Affected Versions | 84 versions across 42 @tanstack/* packages (May 11, 2026 19:20–19:26 UTC) |
FAQ
Q1: Is CVE-2026-45321 actively exploited?
Yes, CISA added it to the KEV catalog on May 27, 2026, and it has been confirmed to be used in ransomware campaigns, with a mandatory remediation deadline of June 10, 2026.
Q2: Are current TanStack npm packages safe to install?
Yes, TanStack confirmed that all package versions currently available on npm (published after May 12, 2026) are clean and safe to use.
Q3: Why did npm provenance attestations fail to detect this attack?
The attacker hijacked TanStack’s legitimate GitHub Actions pipeline itself rather than using a stolen account, meaning the malicious packages carried valid SLSA Build Level 3 attestations from Sigstore and passed all cryptographic verification checks.
Q4: Who is behind the Mini Shai-Hulud campaign?
The attack is attributed to TeamPCP, also tracked by Google as UNC6780 and by others as DeadCatx3 and CipherForce, a financially motivated cybercriminal group with confirmed ties to the Vect ransomware operation.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
