TanStack npm Supply Chain Attack: 84 Malicious Versions Published in 6 Minutes
Original: Postmortem: TanStack NPM supply-chain compromise View original →
What Happened
Between 19:20-19:26 UTC on May 11, 2026, an attacker published 84 malicious versions across 42 @tanstack/* npm packages in just 6 minutes. No npm tokens were stolen - the attack vector was entirely GitHub Actions. An external researcher detected the malicious versions publicly within 20 minutes, and all affected versions have since been deprecated.
The Attack Chain
The attacker combined three GitHub Actions vulnerabilities: (1) the Pwn Request pattern exploiting pull_request_target to access repository secrets from a fork PR, (2) GitHub Actions cache poisoning across the fork-base trust boundary, and (3) runtime extraction of an OIDC token from the GitHub Actions runner process memory.
What the Malware Does
When any affected version is installed via npm, pnpm, or yarn, a 2.3MB obfuscated script executes via the prepare lifecycle hook. It harvests credentials from AWS IMDS/Secrets Manager, GCP metadata, Kubernetes service accounts, Vault tokens, ~/.npmrc, GitHub tokens, and SSH private keys - then exfiltrates them over the Session/Oxen end-to-end encrypted messenger network.
Confirmed Safe Packages
@tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, @tanstack/store, and @tanstack/start are unaffected.
Immediate Action
If you ran an install against affected versions on May 11, 2026, rotate credentials immediately: AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH. GitHub Security Advisory: GHSA-g7cv-rxg3-hmpx.
Related Articles
Hacker News treated the Bitwarden CLI compromise as the sort of GitHub Actions failure that becomes far more serious when the package sits near secrets, tokens, and password-manager workflows. By crawl time on April 25, 2026, the thread had 855 points and 416 comments.
TrapDoor pushed more than 34 malicious packages across npm, PyPI, and Crates.io after May 22. The sharpest twist is not just credential theft, but the attempt to poison .cursorrules and CLAUDE.md files read by AI coding assistants.
OpenAI said on April 10, 2026 that a compromised Axios package touched a GitHub Actions workflow used in its macOS app-signing pipeline. The company says no user data, systems, or software were compromised, but macOS users need updated builds signed with a new certificate before May 8, 2026.