“TanStack”: Malicious Name-Squatting Campaign Steals Environment Secrets

Security researchers have uncovered a supply-chain attack on npm targeting developers who mistakenly install the unscoped tanstack package instead of official scoped libraries like @tanstack/query. On April 29, 2026, an attacker published four rapid-fire versions of the tanstack package—versions 2.0.4 through 2.0.7—engineered to exfiltrate sensitive environment files the moment a developer runs npm install.

While the real TanStack organization maintains some of the most popular tools in the JavaScript ecosystem with millions of weekly downloads, this malicious actor simply “grabbed the unscoped name, dressed it up convincingly, and waited”.

Between 17:08 and 17:35 UTC, the attacker used the public npm registry as a live testing ground, iterating on their payload through four distinct releases. Each version refined the attack’s stealth and scope:

• v2.0.4: The initial strike, targeting .env and .env.local with no “opt-out” mechanism.
• v2.0.5: A brief detour targeting non-sensitive files like README.md, likely to test if the exfiltration relay was working.
• v2.0.6 (The Most Dangerous): The attacker implemented a broad directory sweep to catch every variation of environment files, including .env.production and .env.staging.
• v2.0.7: A final version that reverted to specific file targeting while keeping console output suppressed for maximum stealth.

As Aikido researchers noted, “What you’re watching in this version history is live debugging. The attacker adjusted their targeting, tested their receiver, and optimized for stealth, all while the package was publicly available and installable”.

The payload is a straightforward postinstall.cjs script. Instead of sending stolen data to a suspicious, unknown domain, the attacker routed the information through a legitimate third-party service: Svix. By using Svix as an exfiltration relay, the attacker could effectively “dodge network-level blocking” because the traffic appeared as standard outbound HTTPS requests to a trusted webhook service.

The script disguised the stolen data using misleading JSON field names like readme and agents, which actually contained the full contents of a developer’s .env files.

If you or your CI/CD pipeline installed versions 2.0.4, 2.0.5, 2.0.6, or 2.0.7 of the tanstack package, your secrets have likely already been sent. Because this is a data exfiltration attack rather than a persistent malware infection, simply deleting the package is not enough.

Immediate Actions Required:

• Check: Inspect your package-lock.json or node_modules for the affected versions.
• Revoke: Immediately revoke all tokens found in your environment files, prioritizing AWS, GitHub, and npm publish tokens.
• Audit: Review CloudTrail or GitHub audit logs for any unauthorized API calls made using your credentials.
• Network Logs: Look for outbound traffic to api.svix.com around the time of installation to confirm exfiltration.