TanStack Supply Chain Attack: 160 npm Packages Expose Developer Credentials to Dark Web

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
AWS keys, GitHub tokens, SSH private keys, and cryptocurrency wallet files stolen from 160 compromised npm packages are being sold on dark web cybercrime forums, and GitHub confirmed today that 3,800 of its internal repositories were accessed using developer credentials stolen in the same attack.
The TanStack npm supply chain attack, launched May 11, 2026 by the TeamPCP cybercrime group, injected a 2.3 MB obfuscated credential-stealing payload into 42 packages across the widely-used @tanstack JavaScript library ecosystem, publishing 84 malicious versions in just 6 minutes. The @tanstack/react-router package alone records 12 million weekly downloads, meaning any developer who ran npm install with @tanstack router packages between 19:20 and 19:42 UTC on May 11 installed the payload without any visible sign of compromise. The attack then self-propagated through stolen CI/CD credentials into 160+ additional npm and PyPI packages covering UiPath, Mistral AI, OpenSearch, and dozens of smaller projects.
The payload executed three credential-theft channels simultaneously: scanning 100+ cloud tool credential file paths, scraping GitHub Actions runner memory for in-flight secrets via /proc/{PID}/mem, and querying the AWS EC2 Instance Metadata Service for attached IAM role credentials. Stolen data exfiltrated through filev2.getsession.org, a legitimate privacy service domain chosen deliberately to evade firewall blocklists, and through GitHub GraphQL dead-drops committed to attacker-controlled repositories. TeamPCP has already delivered extortion demands to Grafana Labs and today listed stolen GitHub source code on a cybercrime forum for a minimum of $50,000.
Developers who ran npm install with @tanstack router packages on May 11 must rotate all cloud credentials, API tokens, and SSH keys from that machine immediately. The stolen data is live on underground markets today.
How Does the TanStack npm Supply Chain Attack Work?
The TanStack npm supply chain attack operated through a four-stage chain that exploited a known GitHub Actions weakness called the "Pwn Request" pattern, allowing attackers to cross the trust boundary between untrusted fork pull requests and production release pipelines.
Stage 1, Fork and payload staging. The attacker (GitHub account voicproducoes, ID 269549300, created March 2026) forked the TanStack/router repository on May 10 and committed two files: tanstack_runner.js, a 2.3 MB obfuscated JavaScript payload, and a modified package.json that referenced the malicious fork as an optionalDependency. Three obfuscation layers protected the payload: 11,516 custom base64 strings, a Fisher-Yates substitution cipher, and AES-256-GCM encrypted secondary scripts requiring the Bun runtime. The package.json prepare lifecycle hook triggered payload execution on any npm install.
Stage 2, Cache poisoning. On May 11 at approximately 10:49 UTC, the attacker opened PR #7378 against the official TanStack/router repository, triggering the bundle-size.yml workflow. That workflow used the pull_request_target pattern, a GitHub Actions antipattern that executes fork PR code with repository-level permissions. The malicious code wrote a poisoned pnpm store into the Actions cache under a key that legitimate production release workflows would later restore.
Stage 3, OIDC token theft and worm publishing. At 19:20 UTC, a production release workflow restored the poisoned cache. The payload located the GitHub Actions Runner.Worker process via /proc/*/cmdline, dumped its memory using /proc/{PID}/mem, and extracted the OIDC token. The payload exchanged that token for per-package npm publish credentials and published 84 malicious versions across 42 @tanstack packages in 6 minutes. It then enumerated every package controlled by any maintainer whose npm token was recovered and republished each, the worm mechanism that spread the compromise to 160+ packages across UiPath, Mistral AI, OpenSearch, and others.
Stage 4, Developer machine infection. Any npm install that pulled the affected @tanstack packages executed the payload locally, harvesting credentials from 100+ file paths and exfiltrating them to filev2.getsession.org under RSA-4096-OAEP wrapped AES-256-GCM encryption.
Researcher ashishkurmi disclosed the attack via GitHub issue #7383 at 19:46 UTC, 26 minutes after the first malicious publish, by which time the worm had already spread beyond the @tanstack namespace.
Who Is TeamPCP? The Threat Actor Behind Mini Shai-Hulud
TeamPCP is a financially motivated cybercrime group responsible for at least two documented "Mini Shai-Hulud" supply chain worm campaigns against the npm and PyPI ecosystems. The group takes its internal codename from Frank Herbert's Dune universe: attacker Git branch names documented in this campaign include fremen, sandworm, harkonnen, atreides, and melange, establishing operational continuity between attacks and a preference for distinctive tradecraft.
Attribution is based on overlapping C2 infrastructure, the attacker GitHub account voicproducoes (ID 269549300, email voicproducoes@gmail.com, created March 2026), and matching payload signatures between the May 2026 attack and a prior Mini Shai-Hulud campaign. No formal government attribution exists. TeamPCP operates as a financially motivated extortion actor rather than a state-sponsored espionage unit.
TeamPCP's business model follows three steps: compromise via supply chain, exfiltrate via privacy-service CDN to evade detection, then issue extortion demands. On May 15, a TeamPCP affiliate operating as "CoinbaseCartel" listed Grafana Labs on a dark web extortion site. On May 16, Grafana received a ransom demand and refused to pay, noting payment provides no guarantee of data destruction. TeamPCP separately listed GitHub's internal repositories on a cybercrime forum with a minimum asking price of $50,000.
Three TeamPCP tradecraft patterns are particularly notable for defenders. The group routes exfiltration through filev2.getsession.org, the Session Protocol's legitimate CDN, to defeat threat intelligence blocklists. It commits stolen data as GitHub GraphQL dead-drops with commits falsely attributed to claude@users.noreply.github.com to blend into normal developer activity. It also embeds a destructive tripwire: npm tokens found on infected machines receive the description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner, designed to trigger a disk wipe if a security team revokes the token without first isolating the machine.
Similar financially motivated extortion operations targeting developer platforms appeared in the ShinyHunters group's 30 million Canvas LMS breach, where stolen credentials from a developer-facing environment immediately fueled large-scale data extortion.
“SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended.”
TanStack Security Postmortem, May 2026
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Which Developer Credentials Were Stolen in This Supply Chain Attack?
The TanStack supply chain payload harvested credentials from 100+ specific file paths on infected developer machines and CI/CD runners, covering every major cloud platform, developer tool, and several cryptocurrency wallets.
Cloud infrastructure credentials carry the highest impact. The payload queried the AWS EC2 Instance Metadata Service at 169.254.169.254 via IMDSv2 to enumerate IAM roles and fetch temporary access credentials with the full permission scope of the attached role, often including read access to S3 buckets, DynamoDB tables, and Secrets Manager entries. GCP service account JSON files were read from default locations. Kubernetes service-account tokens and HashiCorp Vault tokens at 127.0.0.1:8200 were also targeted.
Developer platform credentials targeted include npm registry tokens from ~/.npmrc (prioritizing tokens with bypass_2fa: true), GitHub personal access tokens from the gh CLI and .git-credentials, SSH private keys from ~/.ssh/id_rsa and ~/.ssh/id_ed25519, Docker Hub credentials from ~/.docker/config.json, and PyPI publish tokens from ~/.pypirc.
In-memory secrets represent the stealthiest theft category. The payload scraped GitHub Actions Runner.Worker process memory via /proc/{PID}/mem, extracting all in-memory secret objects matching the structure {"value":"...","isSecret":true}. This technique bypasses GitHub's secret masking entirely, secrets never referenced in YAML were exposed. Any secret value injected into a GitHub Actions environment during a compromised workflow run must be treated as exfiltrated.
Persistence mechanisms extended credential theft beyond the initial infection window. On macOS, the payload installed a LaunchAgent at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist that re-exfiltrates GitHub tokens after every reboot. On Linux, a systemd user service at ~/.config/systemd/user/gh-token-monitor.service provides equivalent persistence. Both survive software updates and typically evade endpoint detection focused on process-level behavioral signals.
Security teams should not rely on endpoint detection as the primary indicator. Any machine that ran npm install with @tanstack router packages on May 11 should be treated as fully compromised pending a complete credential rotation and persistence artifact sweep.
GitHub, Grafana, Mistral AI: Confirmed Organizational Breaches
Five organizations confirmed or disclosed unauthorized access linked to this campaign as of May 21, 2026.
GitHub disclosed today that approximately 3,800 internal repositories were accessed by TeamPCP. The breach vector was Nx Console 18.95.0, a malicious VS Code extension version published using stolen credentials from the TanStack campaign. The extension was available on VS Code Marketplace for 18 minutes and OpenVSX for 36 minutes, recording 28 and 41 downloads respectively. An estimated 6,000 additional activations occurred via the auto-update mechanism after public disclosure. GitHub rotated critical secrets between Monday and Tuesday and stated no customer data in systems outside the accessed repositories was exfiltrated.
Grafana Labs confirmed on May 19 that a single GitHub workflow token not rotated after the initial TanStack incident gave attackers access to source code, private repositories, and internal operational information. CoinbaseCartel, a TeamPCP affiliate, listed Grafana on a dark web extortion site on May 15. Grafana received a ransom demand on May 16 and refused to pay, explicitly noting that payment provides no guarantee of data destruction and increases the probability of future targeting.
Mistral AI had its @mistralai/mistralai npm package versions 2.2.3 and 2.2.4 compromised by the self-propagating worm after a maintainer token was obtained from an infected machine. Any developer or CI/CD pipeline that installed those versions during the attack window should rotate credentials.
UiPath had 60+ packages in the @uipath/ npm namespace compromised by the worm after maintainer tokens were obtained from affected machines.
Two OpenAI employees had personal developer credentials compromised via the Nx Console extension, according to security researchers tracking the campaign.
The full scope of affected organizations remains under investigation. Organizations using any of the 160+ compromised packages in CI/CD pipelines should begin incident response immediately. Check the DAEMON Tools supply chain compromise documented in the May 11 weekly roundup for parallel attack patterns that attackers are layering against developer toolchains this month.
IOCs: Indicators to Hunt Across Logs, DNS, and File Systems
The indicators below span all four attack stages: C2 infrastructure, exfiltration channels, malicious file hashes, and persistence artifacts. Search all indicators before beginning credential rotation, specifically, check for the npm token tripwire descriptor before revoking any npm tokens from potentially infected machines.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
What Developers and Security Teams Must Do Right Now
Execute these steps in the order listed. Isolate any machine where you find the npm token tripwire before revoking credentials from that machine.
Audit npm install logs for affected @tanstack packages on May 11, 2026
Check package-lock.json or pnpm-lock.yaml for @tanstack/react-router or @tanstack/router-core versions installed between 19:20 and 19:42 UTC on May 11. Any match confirms payload execution on that machine or runner.
Scan for persistence artifacts before any credential action
On macOS: check ~/Library/LaunchAgents/com.user.gh-token-monitor.plist. On Linux: check ~/.config/systemd/user/gh-token-monitor.service. On both: check .claude/settings.json for unauthorized SessionStart hooks and .vscode/tasks.json for unauthorized folderOpen triggers. Remove all findings and reboot before proceeding.
Check GitHub token descriptions before revoking npm tokens
Log into github.com/settings/tokens and review all personal access token descriptions. Any token with the description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner indicates the machine has the destructive tripwire payload. Isolate and image the machine before revoking that token.
Block C2 and exfiltration domains at DNS and perimeter firewall
Add DNS block rules for api.masscan.cloud, filev2.getsession.org, git-tanstack.com, and seed{1,2,3}.getsession.org across all corporate DNS resolvers and web proxies. Query historical DNS logs for any prior resolution of these domains to identify additional affected machines.
Rotate all cloud credentials from any confirmed-affected machine
Rotate AWS IAM access keys and rotate or disable the IAM role if it was available via EC2 IMDS. Rotate GCP service account keys. Invalidate Kubernetes service-account tokens. Rotate HashiCorp Vault tokens. Rotate GitHub personal access tokens and GitHub Actions secrets. Replace SSH key pairs.
Audit GitHub Actions workflows for injected codeql_analysis.yml files
Search all repositories for a .github/workflows/codeql_analysis.yml file that differs from your standard CodeQL configuration. Look for workflow files that POST to external URLs using toJSON(secrets) or that upload artifacts with names matching formatter output. Remove any injected files and rotate all secrets in affected repositories.
Search GitHub commit history for attacker dead-drop commits
Search commit history for the email address claude@users.noreply.github.com in repositories where you do not use Claude for automated commits. Attacker dead-drop commits use Dune-themed branch names: fremen, sandworm, harkonnen, atreides, melange. Any such commit indicates the attacker successfully staged stolen credentials in your repository.
Why TanStack npm Supply Chain Attack Matters for Your Organization
The TanStack npm supply chain attack matters beyond its immediate scope because it demonstrated that a single compromised OIDC token from one organization's CI/CD pipeline can propagate into 160+ unrelated packages within 6 minutes, bypassing SLSA supply chain security attestations that the broader industry has spent years building. The TanStack postmortem explicitly acknowledged this: SLSA provenance confirms which pipeline produced the artifact, not whether that pipeline was behaving as intended.
The @tanstack/react-router package reaches 12 million developers weekly. Even if only a fraction of installations during the 22-minute attack window occurred in CI/CD environments with significant cloud credentials attached, the downstream scope includes thousands of potentially compromised AWS, GCP, and Kubernetes environments. Security teams that have not audited their npm install logs from May 11 are working against attackers who have had 10 days to weaponize stolen credentials against cloud infrastructure.
The dark web sale of GitHub's 3,800 internal repositories amplifies the risk beyond initial credential theft. Source code repositories hold hardcoded API keys, internal service URLs, proprietary security controls, and architectural documentation. Attackers purchasing that access gain intelligence for highly targeted follow-on attacks against GitHub's supply chain customers, every organization using GitHub Actions, GitHub Packages, or Dependabot is a downstream target of what was accessed.
Three factors make this attack particularly difficult to contain. The payload used legitimate privacy infrastructure for exfiltration, making network-level detection unreliable against standard threat intel blocklists. It planted persistence that survives reboots and updates. It embedded a destructive tripwire designed to deter rapid credential revocation. Organizations must assume compromise, isolate affected machines, and rotate credentials methodically.
Developer security teams should evaluate whether their GitHub Actions workflows use the pull_request_target pattern against fork pull requests. StepSecurity's Harden-Runner and Socket Security both offer workflow auditing that flags this antipattern before it becomes an exploitation path. Pinning all CI/CD tool versions and using OpenID Connect for short-lived cloud credentials eliminates the long-lived token targets that made this campaign so productive for TeamPCP.
The bottom line
The TanStack npm supply chain attack put developer credentials from 160 packages onto the dark web in under 6 minutes. TeamPCP exfiltrated AWS keys, GitHub tokens, SSH private keys, and cryptocurrency wallets from any developer machine or CI/CD runner that processed a routine npm install on May 11, 2026. GitHub, Grafana Labs, Mistral AI, and UiPath have all confirmed unauthorized access. Three takeaways: the self-propagating worm bypassed SLSA supply chain attestations; the filev2.getsession.org exfiltration channel evades standard threat intel blocklists; and the npm token tripwire means naively revoking credentials can trigger a disk wipe. Rotate all cloud credentials and SSH keys from affected machines before end of day today.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is the TanStack npm supply chain attack?
The TanStack npm supply chain attack is a credential-theft operation executed by the TeamPCP cybercrime group on May 11, 2026. Attackers injected a 2.3 MB obfuscated payload into 42 packages in the @tanstack JavaScript library ecosystem, publishing 84 malicious versions in 6 minutes using a stolen GitHub Actions OIDC token. The payload self-propagated by stealing npm tokens from infected machines and republishing itself into 160+ additional packages across UiPath, Mistral AI, and OpenSearch. Any developer whose machine ran npm install involving affected @tanstack router packages during the 22-minute exposure window should treat all credentials on that machine as compromised and rotate them immediately.
Which @tanstack packages were compromised in the supply chain attack?
The attack affected 42 packages in the @tanstack/router monorepo, including @tanstack/react-router and @tanstack/router-core. The unaffected @tanstack families are @tanstack/query, @tanstack/table, @tanstack/form, @tanstack/virtual, @tanstack/store, and the @tanstack/start meta-package. The compromise window was May 11, 2026 from 19:20 to 19:42 UTC. All malicious tarballs were removed from the npm registry by May 12, 2026 at 23:55 UTC. Developers should pin to the latest safe versions documented in the TanStack postmortem and clear local pnpm caches before reinstalling.
What credentials were stolen in the TanStack supply chain attack?
The payload harvested credentials from 100+ file paths on infected machines. The categories include AWS IAM credentials via EC2 Instance Metadata Service, GCP service account JSON files, Kubernetes service-account tokens, HashiCorp Vault tokens, npm registry tokens from ~/.npmrc, GitHub personal access tokens from the gh CLI, SSH private keys from ~/.ssh/, Docker Hub credentials, PyPI publish tokens, and cryptocurrency wallet files from ~/.bitcoin/wallet.dat and ~/.ethereum/keystore/. The payload also scraped GitHub Actions runner process memory via /proc/{PID}/mem, extracting in-memory secrets that were never written to disk or referenced in YAML configuration.
How did TeamPCP exploit GitHub Actions to publish malicious npm packages?
TeamPCP exploited the pull_request_target GitHub Actions antipattern, known as the Pwn Request pattern, which executes code from forked pull requests with repository-level permissions. The attacker opened a pull request against TanStack/router that triggered the bundle-size.yml workflow, using the PR to write a poisoned pnpm cache entry. When a legitimate production release workflow later restored the poisoned cache, the payload extracted the OIDC token from GitHub Actions runner memory via /proc/{PID}/mem, exchanged it for npm publish credentials, and published 84 malicious package versions in 6 minutes. The stolen OIDC token carried SLSA Build Level 3 provenance attestation, making the malicious packages appear legitimate to supply chain verification tools.
How do I check if my developer credentials were stolen in the TanStack attack?
Check four indicators in order. First, audit your npm install logs or package-lock.json for @tanstack/react-router or @tanstack/router-core versions installed on May 11, 2026. Second, scan your development machine for persistence artifacts: on macOS, check ~/Library/LaunchAgents/com.user.gh-token-monitor.plist; on Linux, check ~/.config/systemd/user/gh-token-monitor.service. Third, block outbound DNS to api.masscan.cloud, filev2.getsession.org, and git-tanstack.com and check historical DNS logs for queries to these domains on May 11-21. Fourth, check your GitHub token list for tokens with the description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner and isolate the machine before revoking any such token.
Is @tanstack safe to use now after the supply chain attack?
Yes, as of May 12, 2026 at 23:55 UTC, all malicious versions were removed from the npm registry and the @tanstack project team published clean packages with a full postmortem. Developers should pin to the latest safe versions documented in the TanStack postmortem, run npm audit, and clear the local pnpm cache before reinstalling. The TanStack organization is evaluating invitation-only pull request policies to prevent future exploitation of the pull_request_target workflow pattern.
What should I do if my CI/CD pipeline ran npm install on May 11 during the attack window?
Treat the CI/CD runner and all secrets it had access to as fully compromised. Rotate all secrets accessible from the runner: AWS IAM credentials, GitHub deployment tokens, npm publish tokens, Kubernetes service account tokens, and Vault credentials. Audit CI/CD logs for outbound connections to api.masscan.cloud or filev2.getsession.org. Search GitHub repositories for injected workflow files named codeql_analysis.yml that differ from your legitimate CodeQL configuration. Check for commits authored by claude@users.noreply.github.com with Dune-themed branch names such as fremen, sandworm, harkonnen, atreides, or melange. Revoke runner machine credentials and re-provision the runner from a clean image.
What is the Nx Console vulnerability that led to the GitHub internal breach?
The Nx Console incident was a supply chain compromise rather than a flaw in the extension itself. Nx Console version 18.95.0 was published to the VS Code Marketplace and OpenVSX using stolen maintainer credentials obtained earlier in the TanStack campaign. The malicious version was available for 18 minutes on VS Code Marketplace and 36 minutes on OpenVSX, recording 28 and 41 downloads respectively before removal. At least one GitHub employee installed the extension, giving attackers authenticated access to 3,800 internal GitHub repositories. The extension payload stole credentials for npm, AWS, Kubernetes, GitHub, and GCP/Docker from the victim machine.
Sources & references
- BleepingComputer, GitHub links repo breach to TanStack npm supply-chain attack
- TanStack Blog, Postmortem: TanStack npm supply-chain compromise
- StepSecurity, TeamPCP Mini Shai-Hulud: Self-Spreading Supply Chain Attack Hits npm
- Grafana Labs, Security update: Latest on TanStack npm supply chain ransomware incident
- Wiz Blog, Mini Shai-Hulud Strikes Again: TanStack and 160+ npm Packages Compromised
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
