TanStack npm Supply Chain Attack: 84 Packages Compromised with Malware
A major supply-chain attack compromised 84 versions of TanStack npm packages with suspected CI credential-stealing malware. Socket Security detected the malicious versions within six minutes of publication, preventing wider distribution.
Supply Chain Attack Details
Attack Parameters:
- 42 TanStack packages across 84 versions were compromised
- Malware: suspected CI credential-stealing payload ("Mini Shai-Hulud")
- Published to npm at approximately 19:20 and 19:26 UTC
- Socket Security detected and flagged every malicious version within 6 minutes
- Packages were quickly deprecated to limit damage
Attack Method: "Dead Man's Switch"
The attack employed a sophisticated technique called a "dead man's switch" supply chain attack. Once CI credentials were stolen, the malware could potentially persist in victim build systems and compromise future deployments.
Impact and Response
TanStack published a security advisory immediately upon discovery. The rapid detection by Socket Security prevented the malware from spreading to downstream projects that depend on these packages. However, any organization that pulled the compromised versions during the brief window faces potential credential exposure.
Broader Context
This incident underscores ongoing vulnerabilities in the npm ecosystem and highlights the critical importance of supply-chain security tools. Open-source dependencies are becoming attractive targets for attackers seeking to compromise multiple downstream organizations simultaneously.
Recommendations
- Review npm logs for pulls during the attack window
- Rotate any CI credentials that may have been exposed
- Monitor supply-chain security tools for similar attacks