Breaking Technology · · 7 min read

TanStack Supply Chain Attack Exploited GitHub Actions to Publish 84 Malicious npm Packages in Six Minutes

Coordinated breach weaponised OIDC tokens and CI/CD automation to compromise 42 packages with credential-harvesting payloads, exposing structural flaws in trusted publishing.

B
based.technology
Technology

An attacker published 84 malicious versions across 42 TanStack npm packages in a six-minute window on 11 May 2026, exploiting GitHub Actions workflows to mint valid publishing tokens and deploy obfuscated payloads targeting developer credentials and cloud infrastructure secrets. The breach, detected within 20 minutes by StepSecurity researcher Ashish Kurmi, represents the first documented npm supply chain attack producing valid SLSA provenance attestations—the malicious packages passed verification because the attacker hijacked the legitimate build pipeline itself rather than stealing static credentials.

Attack Metrics
Malicious versions published84
Attack window6 minutes
@TanStack/react-router weekly downloads12.7M
Detection time20 minutes

How the Attack Worked

The breach exploited a chain of GitHub Actions misconfigurations and design weaknesses rather than credential theft, according to the TanStack postmortem. The attacker created a fork under GitHub account voicproducoes, then triggered a pull_request_target workflow that poisoned the GitHub Actions cache with a malicious pnpm store. When the legitimate release workflow restored that poisoned cache, it executed attacker-controlled code that extracted OIDC tokens from GitHub Actions runner process memory and used them to publish malicious packages.

“The attack published malicious versions through the project’s own GitHub Actions release pipeline using hijacked OIDC tokens,” according to The Hacker News, which spoke with StepSecurity researcher Ashish Kurmi. The attack occurred between 19:20 and 19:26 UTC on 11 May, with the attacker renaming the malicious fork to evade fork-list searches during the brief window before detection.

OIDC Trusted Publishing

npm’s OIDC trusted publisher feature allows GitHub Actions workflows to mint short-lived publish tokens without storing long-lived credentials. The TanStack repository configured trust at the repository level rather than scoping it to a specific protected branch and workflow file—meaning any workflow run, including those triggered by external pull requests, could request valid publish tokens. This design flaw turned a security feature into an attack surface.

The payload itself was a 2.3 MB obfuscated router_init.js file injected into all compromised packages, Wiz reported. The code targeted AWS, GCP, Kubernetes, Vault, GitHub tokens, SSH keys, and .npmrc credentials, exfiltrating them via the Session encrypted messaging protocol. It also included a dead-man’s switch that triggered a disk-wipe command (rm -rf ~/) on Windows and Linux systems if token revocation was detected.

Campaign Scale and Attribution

By end of day 12 May, Aikido documented at least 170 affected packages across npm, spanning @tanstack, @uipath, @mistralai, @squawk, @tallyui, @beproduct and other namespaces. The campaign is attributed to threat group TeamPCP, which previously compromised Aqua Security’s Trivy scanner in March 2026 and Bitwarden’s CLI npm package in April 2026.

10 May 2026
Fork creation and cache poisoning
Attacker creates voicproducoes fork, triggers pull_request_target workflow to poison GitHub Actions cache.
11 May 19:20 UTC
Malicious publish begins
84 malicious versions across 42 packages published in six-minute window using extracted OIDC tokens.
11 May 19:40 UTC
Detection and response
StepSecurity researcher Ashish Kurmi detects anomalous packages; TanStack begins coordinated takedown.
12 May 2026
CVE assignment
CVE-2026-45321 assigned with CVSS score 9.6 (Critical); full incident scope documented across 170+ packages.

This wave differs from earlier Shai-Hulud attacks in September and November 2025—which affected more packages but lacked SLSA provenance—by exploiting CI/CD infrastructure rather than static credentials. “Because the repository’s OIDC trusted publisher configuration granted trust at the repository level rather than scoped to a specific protected branch and workflow file, the workflow run triggered by that commit was able to request a valid short-lived npm publish token,” Endor Labs researcher Peyton Kennedy explained to The Hacker News.

Payload Capabilities and Persistence

The malicious code established persistence through systemd services on Linux and LaunchAgent entries on macOS, Semgrep documented. It ran a token-monitoring daemon that continuously scanned for new credentials in environment variables and configuration files, uploading findings to attacker-controlled infrastructure. The payload also included self-propagation logic designed to compromise downstream dependencies by injecting itself into node_modules directories during package installation.

“This is the first documented case of a malicious npm package carrying valid SLSA provenance, as the worm hijacked the legitimate build pipeline itself and Sigstore verified the build process correctly.”

Snyk

Socket detected the malicious packages using AI-powered analysis that flagged the oversized router_init.js file and suspicious network activity. The attacker’s choice to inject a payload that broke tests made the publish step loud enough to detect quickly—the malicious versions failed CI checks, generating alerts that accelerated response time.

Systemic Implications

The TanStack compromise exposes brittleness in CI/CD supply chain trust models. OIDC trusted publishing was designed to eliminate credential theft as an attack vector, but the repository-level trust configuration created a new surface: any code path in any workflow could mint publish-capable tokens. The attack succeeded despite multiple layers of modern Supply Chain Security—SLSA provenance, Sigstore verification, encrypted artifact storage—because it compromised the trust root itself.

Remediation Steps
  • Immediately audit package-lock.json for versions published 11 May 2026 19:20-19:26 UTC across all @tanstack/* packages
  • Rotate all credentials (AWS/GCP keys, GitHub tokens, npm tokens, SSH keys) on systems that installed affected versions
  • Check for systemd services or LaunchAgent entries named ‘node-update’ or containing obfuscated JavaScript
  • Review GitHub Actions workflows for pull_request_target triggers with cache restoration before security checks
  • Scope OIDC trusted publisher configurations to specific protected branches and workflow files, not repository level

The TanStack postmortem details technical remediation steps and systemic recommendations, including mandatory security review gates before cache restoration and workflow-level OIDC scoping. npm has not announced platform-level changes to prevent similar attacks.

What to Watch

TanStack maintainers have published clean versions and rotated all tokens, but the incident raises questions about OIDC trusted publishing adoption across the npm ecosystem. Repositories using repository-level trust configurations remain vulnerable to similar attacks—particularly those with pull_request_target workflows that restore caches before security validation. TeamPCP’s demonstrated capability to compromise CI/CD pipelines suggests future attacks will target GitHub Actions, GitLab CI, and other automation platforms as primary entry points rather than static credential stores. Expect pressure on npm to implement workflow-scoped OIDC bindings and mandatory security gates before cache restoration in high-privilege workflows.

Sources
TanStack Blog
StepSecurity
Snyk
Wiz
Socket
Aikido
Semgrep
The Hacker News
GitHub Actions Malware npm OIDC Supply Chain Security TanStack
The Wire Daily

Get the day’s most important stories in technology, geopolitics, and macroeconomics — delivered every morning.

Subscribe Free →