Ddos 
The software supply chain has just weathered another high-impact assault. The Socket Threat Research team has uncovered a significant compromise affecting 84 npm package artifacts within the popular tanstack namespace.
With some of the affected packages, such as @tanstack/react-router, boasting over 12 million weekly downloads, the reach of this incident is vast, impacting developers and CI/CD pipelines across the global npm ecosystem.
The compromise involves the injection of a sophisticated, heavily obfuscated credential stealer. Attackers modified the legitimate packages to include a new, ~2.3 MB file named router_init.js.
According to the research team:
“The file has spawn-based daemonization with a _DAEMONIZED re-entrancy guard and detached stdio; access to GITHUB* environment variables (Actions/CI-only secrets, including tokens and actor identity); temp-directory staging with read/write/unlink lifecycle; and remote streaming/dispatch operations.”
To further evade detection, the malicious code utilizes the javascript-obfuscator pattern, incorporating hex-encoded identifier lookups and control-flow flattening to distinguish it from normal minified code.
The attackers didn’t just stop at code injection; they ensured the malware would execute automatically during the standard installation process.
The malicious versions were updated with a new optionalDependencies field in their package.json, pointing to a GitHub-hosted repository. This repository contains a standalone package with a prepare lifecycle hook.
As the Socket report highlights:
“Because npm automatically executes lifecycle hooks for Git-based dependencies during installation, any downstream installation of the modified package will automatically execute tanstack_runner.js on the next victim machine or CI runner.”
The techniques observed in this TanStack incidentβspecifically the use of GitHub-hosted dependencies, malicious lifecycle hooks, and the targeting of CI/CD secretsβclosely mirror recent high-profile supply chain attacks, including the Intercom and SAP CAP incidents.
The primary goal appears to be the systematic harvesting of GITHUB* environment variables, which often contain sensitive tokens and actor identities essential for secure automated deployments.
Any developer or organization that pulled updates for TanStack packages during the window of compromise must act immediately. Recommended steps include:
- Audit Dependencies: Check your package-lock.json or yarn.lock files for any references to the @tanstack/setup dependency or suspicious GitHub commits in the TanStack namespace.
- Rotate Secrets: If you suspect a compromise, immediately rotate all GitHub Actions secrets, personal access tokens (PATs), and any other credentials accessible within your CI/CD environment.
- Rebuild Clean: Purge your local and CI cache and reinstall dependencies from a verified, clean state.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
