TanStack packages hit by Mini Shai-Hulud

The TanStack wave of the May 2026 Mini Shai-Hulud worm was unusual in that the attacker did not merely steal a registry token and push a malicious tarball by hand. According to the project's public postmortem and follow-on analysis from Aikido, StepSecurity, and JFrog, the attacker abused the project's GitHub Actions release pipeline itself — chaining a pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning, and runtime extraction of trusted-publishing material from the runner while the workflow continued to look like official automation.

TanStack is a popular family of headless TypeScript libraries that includes React Query, the TanStack Router, and TanStack Start. According to Aikido, the malicious npm packages carried a new root-level payload file named router_init.js and added an optional dependency on a @tanstack/setup package sourced directly from a GitHub commit in the TanStack router repository. That dependency had a prepare script that ran a tanstack_runner.js payload with the Bun JavaScript runtime, then exited with a non-zero status. Because the dependency was marked optional, the visible install failure looked like routine noise — but the code had already executed.

The payload was built for developer workstations and CI/CD runners, Aikido said. It searched for GitHub and npm tokens, GitHub Actions OIDC material, AWS credentials and metadata endpoints, Kubernetes service account files, HashiCorp Vault tokens, environment variables, local filesystem secrets, and SSH material. Exfiltration and staging followed the broader Mini Shai-Hulud pattern, including the use of Session/Oxen infrastructure and GitHub-centered propagation logic.

Researchers said TanStack is worth recording separately because its package scope and release-pipeline evidence are unusually well documented. Aikido counted 83 TanStack package-version entries within a broader May 2026 wave that hit 373 malicious package-version entries across 169 npm package names. This record preserves the TanStack artifacts, while the campaign record at [[shai-hulud-here-we-go-again]] carries the shifting cross-ecosystem count.

Motive

Credential Theft

Attribution

Group

Cause

CI/CD Exploit

Transitive

Yes

Actor

Advanced Persistent Threat

• Locationdistribution: github.com/zblgg/configuration
• Locationdistribution: github.com/TanStack/router/actions/runs/25613093674
• Locationdistribution: github.com/TanStack/router/actions/runs/25691781302
• filerouter_init.js
• filerouter_runtime.js
• filetanstack_runner.js
• package@tanstack/setup
• dependencygithub:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c
• commandbun run tanstack_runner.js
• urlhxxp://filev2[.]getsession[.]org/file/
• urlhxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/
• urlhxxp://169[.]254[.]170[.]2
• urlhxxps://registry[.]npmjs[.]org/-/npm/v1/tokens
• servicevault[.]svc[.]cluster[.]local:8200
• Hashsha256:ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
• Hashsha256:2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
• Commit65bf499d16a5e8d25ba95d69ec9790a6dd4a1f14
• Commit79ac49eedf774dd4b0cfa308722bc463cfe5885c

• Aikido reported 83 TanStack package-version entries in the May 12 article. The artifact list here is retained from the TanStack/GitHub/StepSecurity/JFrog record set because package counts shifted while malicious releases were removed and newly identified.

• Security Advisory and Incident Discussion for TanStack Router npm Compromisegithub.com
• NPM Supply Chain Compromise Postmortemtanstack.com
• GitHub Advisory GHSA-g7cv-rxg3-hmpxgithub.com
• Mini Shai-Hulud is Back - A Self-Spreading Supply Chain Attack Hits the npm Ecosystemstepsecurity.io
• Shai-Hulud: Here We Go Againresearch.jfrog.com
• Mini Shai-Hulud Is Back: npm Worm Hits over 160 Packages, including Mistral and Tanstackaikido.dev
• TanStack npm Packages Compromised in Mini Shai-Hulud Supply Chain Attacksocket.dev