Skip to content

TanStack Attack: Malicious Code Distributed via Compromised npm Packages

In a nutshell: Attackers used a stolen OIDC token to distribute counterfeit TanStack packages on npm, enabling the exfiltration of cloud credentials and authentication tokens.

Attackers gained access to the npm registry using a stolen OIDC token and uploaded manipulated TanStack packages. The embedded malicious code targets the extraction of cloud credentials, GitHub and npm tokens, as well as SSH keys.

In the TanStack attack, the perpetrators exploited a supply-chain security vulnerability: a compromised or misused OIDC token allowed them to pose as a legitimate package publisher. This enabled manipulated versions of TanStack packages to reach the npm repository, one of the most important package archives for JavaScript and Node.js development.

The malicious code executes automatically upon package installation and systematically collects authentication data. Affected credentials include cloud access keys, tokens for GitHub and npm repositories, as well as private SSH keys – credentials that provide access to critical infrastructure and development assets.

The attack campaign under the name “Mini-Shai-Hulud” has expanded beyond the initial TanStack attack to target additional victims. Documented cases include Microsoft, Red Hat, and numerous other organizations. The pattern demonstrates a targeted strategy to exploit trusted developer pipelines as entry points for broader compromises.

For CISOs, this attack serves as a critical warning about supply-chain risks in open-source ecosystems. Control over build and deployment processes via stolen credentials can lead to access to production environments. Organizations should review their OIDC token management, validate package integrity, and strictly control access to secrets in build pipelines.


Source: www.security-insider.de · Published 2 July 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.3.

Share on: