84 TanStack npm packages compromised with CI credential stealer
TL;DR - 84 packages in the @tanstack namespace were modified with credential-stealing malware targeting CI systems. The attack is part of the ongoing Mini Shai-Hulud supply chain campaign. If you installed an affected version, treat all CI secrets as compromised.
What happened
Socket's Threat Research team detected a compromise across 84 npm package artifacts in the TanStack namespace. The attacker used an orphaned commit technique to gain access to the workflow run that stores the OIDC token, effectively bypassing existing publishing protections.
Malicious versions contain a newly added router_init.js file - a 2.3 MB heavily obfuscated payload using the javascript-obfuscator pattern with string-array rotation, hex-encoded identifier lookups, and control-flow flattening. The code includes spawn-based daemonization with a re-entrancy guard, detached stdio, access to GITHUB* environment variables (Actions/CI-only secrets including tokens and actor identity), temp-directory staging with read/write/unlink lifecycle, and remote streaming operations.
The compromised packages also add an optionalDependencies field in package.json pointing to a suspicious orphaned commit in the TanStack/router repository. That commit introduces only two files: a package.json and a bundled tanstack_runner.js payload. The package registers a prepare lifecycle hook that executes bun run tanstack_runner.js && exit 1 - allowing arbitrary code execution during npm install.
Impact scope
Some of the affected packages have extremely high download counts. @tanstack/react-router alone sees over 12 million downloads per week. Socket flagged every malicious version within six minutes of publication.
TanStack maintainer Tanner Linsley confirmed the attack vector: the orphaned commit technique allowed the attacker to obtain the OIDC token from the workflow run. Two-factor authentication was enabled for all team members, but the supply chain attack bypassed that control entirely.
| Item | Value |
|---|---|
| Namespace | @tanstack |
| Affected packages | 84 artifacts |
| Attack campaign | Mini Shai-Hulud |
| Malicious payload | router_init.js (2.3 MB obfuscated) |
| Detection time | Under 6 minutes per version |
What to do now
- Check whether you installed an affected version. Review your
package-lock.jsonoryarn.lockfor any@tanstack/*packages published in the last day. Cross-reference against the full list of affected packages. - Rotate all CI secrets immediately if an affected version was installed in any environment. This includes GitHub tokens, deploy keys, cloud credentials, and any secrets accessible during the build.
- Downgrade to known-good versions. The TanStack maintainers are running unpublish scripts to remove compromised versions from npm. Clean your npm cache (
npm cache clean --force) and reinstall. - Review CI logs for suspicious activity. Look for unexpected network connections, file access patterns, or credential usage originating from npm install jobs.
- Monitor for follow-on attacks. Stolen OIDC tokens and CI credentials can enable lateral movement across your infrastructure.
Mini Shai-Hulud campaign
This compromise is part of the broader Mini Shai-Hulud supply chain attack campaign that Socket has been tracking. The attacker's GitHub account contained repositories named "A Mini Shai-Hulud has Appeared", suggesting the account was taken over as part of this ongoing operation. The campaign has previously targeted other popular packages including Intercom and SAP CAP libraries.
Socket maintains a dedicated tracking page for this campaign at socket.dev/supply-chain-attacks/mini-shai-hulud.