A major supply-chain attack has struck the TanStack ecosystem, compromising 84 npm package artifacts across 42 widely used JavaScript libraries. Malicious versions containing a credential-stealing payload were briefly published to the npm registry on May 12, 2026, before being removed. Organizations that installed any @tanstack/* package between 19:20 and 19:30 UTC on that date should treat the affected systems as potentially compromised and rotate all credentials immediately.
Scope and Scale of the Attack
The compromised packages include some of the most widely downloaded JavaScript libraries in the npm ecosystem. Packages such as @tanstack/react-router alone receives over 12 million weekly downloads, and many other TanStack packages are similarly ubiquitous. Accounting for transitive dependencies — packages that depend on TanStack packages without developers necessarily being aware — the potential blast radius is exceptionally large.
Security researchers at Socket identified the compromise and rated it HIGH severity. The payload is capable of exfiltrating a broad range of sensitive credentials, including:
- AWS, GCP, Kubernetes, and HashiCorp Vault credentials
- GitHub tokens and CI/CD runner identities
- SSH private keys
.npmrccontents, which often contain publish tokens and registry credentials
What Was Injected Into the Packages
Every compromised package version contains a newly injected file called router_init.js, approximately 2.3 MB in size. This file employs aggressive obfuscation consistent with the javascript-obfuscator tool, featuring string-array rotation, hex-encoded identifier lookups, control-flow flattening, and dead-code injection — a pattern distinctly different from standard minifiers and designed to frustrate reverse engineering.
Functionally, the payload includes:
- Spawn-based daemonization with a re-entrancy guard to ensure persistence
- Direct access to
GITHUB_*environment variables, including CI tokens and workflow actor identity - Temp-directory staging for harvested data with full read/write/unlink lifecycle management
- Remote streaming and dispatch operations to exfiltrate collected secrets to attacker-controlled infrastructure
The malicious package versions also introduced an optionalDependencies field pointing to a suspicious standalone commit in the TanStack/router GitHub repository — a commit with no parent history that introduces only a package.json and a bundled payload script. Critically, this package.json registers a prepare lifecycle hook that executes arbitrary code automatically during npm install, meaning developer workstations and CI runners are both at risk during routine dependency installation.
How the Attack Was Executed: Three Chained GitHub Actions Techniques
TanStack’s own post-incident analysis revealed a sophisticated attack chain involving three chained GitHub Actions abuse techniques:
- The “Pwn Request” pattern: Exploiting the
pull_request_targettrigger, which runs with write access to the base repository even from forked pull requests - GitHub Actions cache poisoning: Injecting malicious content into the Actions cache across the fork-to-base trust boundary, where cache entries are shared
- OIDC token extraction: Extracting a GitHub Actions OIDC token from the runner process’s memory at runtime, enabling the attacker to authenticate as the legitimate publisher
Crucially, no npm tokens were stolen. Instead, the attacker authenticated via TanStack’s OIDC trusted-publisher binding — a legitimate npm feature — after the attacker-controlled code executed during the workflow’s test and cleanup phase and posted malicious packages directly to the npm registry as if from the legitimate project maintainers.
The malicious commit was authored by a GitHub account named voicproducoes, whose public repositories included a project associated with a phrase linked to large-scale npm malware campaigns, strongly indicating account takeover.
Incident Response and Remediation
TanStack has since deprecated all 84 affected package versions with a SECURITY warning on npm. The npm security team has been engaged to remove the malicious tarballs at the registry level. GitHub Actions cache entries have been purged, and hardening changes have been merged to restructure the vulnerable workflow, add repository-owner guards, and pin all third-party action references.
For organizations that may have been affected, the following steps are essential:
- Rotate all credentials immediately — cloud provider keys (AWS, GCP), GitHub tokens, SSH keys, and any secrets stored in environment variables on CI runners
- Audit cloud logs for suspicious API calls, unusual resource creation, or access from unfamiliar IP addresses during and after the window of May 12, 19:20–19:30 UTC
- Check your lock files for any
@tanstack/*package version containing"@tanstack/setup": "github:tanstack/router#79ac49ee..."inoptionalDependencies— treat any such entry as malicious - Reinstall dependencies from a clean lockfile pinned to a known-good version that predates the compromise window
- Harden your CI pipelines by reviewing use of
pull_request_target, auditing cache sharing policies, and pinning all third-party GitHub Actions to specific commit SHAs
This incident is a stark reminder of the fragility of trust in the open-source supply chain and the growing sophistication of attacks targeting CI/CD infrastructure. Organizations that rely heavily on npm packages — particularly popular React ecosystem libraries — should reassess their supply chain security posture and consider integrating automated tools for detecting unexpected changes in package artifacts.