Executive Summary
On May 11, 2026, a critical supply chain attack targeted the TanStack open-source project via a sophisticated breach of its GitHub repository and npm package publishing pipeline. The incident, attributed to the threat group TeamPCP, exploited a chain of vulnerabilities in GitHub Actions workflows, resulting in the publication of 84 malicious versions across 42 @tanstack npm packages. The attack rapidly propagated to secondary victims, including Mistral AI, UiPath, and over 160 additional npm and PyPI packages, by harvesting credentials and self-replicating through compromised developer and CI environments. The malicious payload, embedded as router_init.js, exfiltrated sensitive credentials and established persistent, destructive mechanisms on infected systems. Immediate mitigation is required for any systems that installed affected package versions on or after May 11, 2026. All technical details, impact scope, and recommended actions are based on direct evidence from the official TanStack postmortem, Snyk technical analysis, and the Orca Security incident report (TanStack postmortem, Snyk analysis, Orca Security report).
Technical Information
The attack on TanStack leveraged a novel supply chain compromise by chaining three distinct vulnerabilities within the GitHub Actions CI/CD environment. The attacker first forked the TanStack/router repository and submitted a malicious pull request, exploiting the pull_request_target workflow to gain elevated permissions. Through GitHub Actions cache poisoning, the attacker injected a malicious pnpm store into the cache, which was later restored by a legitimate maintainer’s workflow. This cache contained binaries and scripts designed to extract OIDC (OpenID Connect) tokens directly from the runner’s process memory, a technique that bypassed the need for long-lived credentials and allowed the attacker to publish malicious npm packages using the legitimate pipeline identity (TanStack postmortem, Snyk analysis, Orca Security report).
The malicious payload, a 2.3 MB obfuscated JavaScript file named router_init.js, was smuggled into the root of each compromised tarball. This file was not declared in the package’s files field, indicating tampering outside the normal build process. Each affected package also included an injected optionalDependencies entry referencing a malicious commit in the attacker’s fork:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}
Upon installation via npm install, pnpm install, or yarn install, the payload executed during the package’s lifecycle hooks. It systematically harvested credentials from common locations, including AWS IMDS/Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, .npmrc, GitHub tokens (from environment variables, GitHub CLI, and .git-credentials), and SSH private keys. The payload deliberately skipped tokens explicitly named github_token to avoid triggering GitHub’s secret-scanning mechanisms (Snyk analysis).
Exfiltration of stolen data was performed over the Session/Oxen decentralized messenger network, utilizing domains such as filev2.getsession.org and seed{1,2,3}.getsession.org. This channel is end-to-end encrypted and does not rely on attacker-controlled command-and-control (C2) servers, making network-level blocking challenging. Additional C2 infrastructure included git-tanstack.com, api.masscan.cloud, and second-stage payloads hosted on litter.catbox.moe (Orca Security report).
The worm exhibited self-propagation by querying the npm registry for packages maintained by compromised users and republishing those packages with the same malicious injection. This mechanism enabled rapid expansion of the attack’s blast radius, affecting over 200 packages beyond the initial 84 @tanstack versions. Persistence was established by writing copies of the payload into developer tooling directories such as .claude/ and .vscode/, and by installing a destructive daemon (gh-token-monitor) as a systemd user service on Linux or a LaunchAgent plist on macOS. This daemon polled GitHub every 60 seconds and, if it detected a revoked token, executed a command to wipe the user’s home directory (rm -rf ~/). The daemon automatically exited after 24 hours, but its presence posed a severe risk to affected systems (Orca Security report).
The attack is notable for being the first documented npm supply chain compromise to carry valid SLSA (Supply-chain Levels for Software Artifacts) provenance, as the malicious packages were published from within the legitimate GitHub Actions runner using valid OIDC tokens. This undermines the reliability of provenance attestations as a sole indicator of package safety (Snyk analysis).
Affected Versions & Timeline
The attack specifically targeted the TanStack/router and TanStack/start repositories, resulting in 84 malicious versions across 42 @tanstack npm packages. Each package was affected in two consecutive versions, published between 19:20 and 19:26 UTC on May 11, 2026. The full list of affected packages and versions is available in the GitHub Security Advisory GHSA-g7cv-rxg3-hmpx and the TanStack postmortem.
Confirmed affected packages include @tanstack/react-router (versions 1.169.5, 1.169.8), @tanstack/vue-router (1.169.5, 1.169.8), @tanstack/solid-router (1.169.5, 1.169.8), @tanstack/router-core (1.169.5, 1.169.8), @tanstack/react-start (1.167.68, 1.167.71), and @tanstack/router-plugin (1.167.38, 1.167.41). The attack also propagated to secondary victims, including over 40 packages in the @uipath namespace, multiple @mistralai packages (including mistralai, mistralai-azure, and mistralai-gcp), 19 aviation data packages under @squawk, and additional packages such as guardrails-ai (PyPI) and intercom-client (Snyk analysis, Orca Security report).
The timeline of the attack is as follows:
On May 10, 2026, the attacker created a fork of the TanStack/router repository and authored a malicious commit. On May 11, 2026, the attacker opened a pull request, poisoned the GitHub Actions cache, and triggered the release workflow, resulting in the publication of malicious package versions. The attack was detected within 20 to 26 minutes by an external researcher, and maintainers deprecated the affected versions within the hour. npm security removed the malicious tarballs from the registry later that evening. By May 12, 2026, the full scope of the attack, including secondary victims, was documented and publicized (TanStack postmortem, Orca Security report).
Threat Activity
The threat actor, TeamPCP, demonstrated advanced capabilities in supply chain compromise, leveraging a unique combination of GitHub Actions workflow abuse, cache poisoning, and in-memory credential theft. The attack chain began with the exploitation of the pull_request_target workflow, which allowed the attacker to execute code with elevated permissions in the context of the base repository. By poisoning the GitHub Actions cache, the attacker ensured that their malicious payload would be restored and executed during a subsequent legitimate workflow run.
The core of the attack was the extraction of OIDC tokens from the runner’s process memory, enabling the attacker to publish malicious npm packages with valid provenance. The payload’s credential harvesting targeted a wide range of secrets, including cloud provider credentials, CI/CD tokens, and SSH keys. Exfiltration was performed over encrypted, decentralized channels, making detection and blocking difficult.
The worm’s self-propagation mechanism queried the npm registry for packages maintained by compromised users and republished those packages with the same malicious injection. This resulted in rapid, automated spread to secondary victims across the npm and PyPI ecosystems. The persistence and destructive capabilities of the gh-token-monitor daemon introduced a significant risk of data loss, as the daemon would wipe the user’s home directory if a revoked GitHub token was detected.
The attack’s sophistication is further evidenced by its use of valid SLSA provenance, the deliberate avoidance of GitHub’s secret-scanning, and the deployment of decentralized C2 infrastructure. The public release of the attack’s source code, albeit briefly, increases the risk of copycat attacks and derivative strains (Orca Security report).
Mitigation & Workarounds
Mitigation actions must be prioritized by severity:
Critical: Any system or CI runner that installed an affected package version on or after May 11, 2026, must be treated as compromised. Immediately search for and remove the persistence daemon (gh-token-monitor) before revoking any GitHub tokens. On macOS, check for ~/Library/LaunchAgents/com.user.gh-token-monitor.plist; on Linux, check for ~/.config/systemd/user/gh-token-monitor.service. Failure to remove the daemon before revoking tokens may result in the wiping of the user’s home directory (Orca Security report).
High: Audit all lockfiles, package manifests, and CI logs for references to affected package versions and the presence of the malicious optionalDependencies entry. Check for persistence files in .claude/ and .vscode/ directories, such as router_runtime.js and setup.mjs, which may survive package uninstall operations. Rotate all credentials from any affected machine or runner, including npm tokens, GitHub personal access tokens, AWS/GCP/Azure credentials, Kubernetes service account tokens, and CI/CD secrets.
Medium: Block network access to known exfiltration and C2 domains at the DNS or proxy level, including git-tanstack.com, *.getsession.org, and 83.142.209.194. Upgrade all affected packages to clean versions published after May 12, 2026, as confirmed by maintainers (TanStack postmortem).
Low: Monitor for indicators of compromise, including the presence of router_init.js, the malicious optionalDependencies entry, and any unusual network traffic to Session/Oxen domains. Review organizational policies for the use of pull_request_target workflows and GitHub Actions cache permissions to prevent similar attacks in the future.
References
TanStack official postmortem: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem Snyk technical analysis: https://snyk.io/blog/tanstack-npm-packages-compromised/ Orca Security report: https://orca.security/resources/blog/tanstack-npm-supply-chain-worm/ GitHub Security Advisory: https://github.com/advisories/GHSA-g7cv-rxg3-hmpx
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks in real time. Our platform enables continuous monitoring of open-source dependencies, CI/CD pipeline configurations, and credential exposure, supporting rapid detection and response to supply chain threats. For questions or further guidance regarding this incident or supply chain security best practices, contact us at ops@rescana.com.
