Cyber Incident Victim: TanStack
Date:
May 2026
Location:
—
Summary
A supply‑chain malware campaign dubbed Mini Shai‑Hulud infected hundreds of open‑source packages, including TanStack’s React Router library, which records over twelve million weekly downloads. Attackers used an orphaned commit to hijack GitHub Actions workflows, delivering a concealed dependency that fetched an obfuscated payload executed by the Bun runtime to harvest cloud credentials, SSH keys and secret files from developer machines. The malware persisted by embedding itself in Visual Studio Code and Claude configuration directories, exfiltrated stolen data via the Session messaging app, and attempted to spread by publishing copies as commits spoofed from the Anthropic Claude bot. Researchers attributed the operation to the cloud‑focused group TeamPCP, noting that while the packages were removed from registries and no registry passwords were proven stolen, the malware had not been observed to spread widely.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Mini Shai‑Hulud supply‑chain attack began when threat actors pushed an orphaned commit to a fork of a repository used by TanStack’s React Router project, exploiting overly permissive GitHub Actions workflows to trigger an automated release process. This allowed the attackers to insert a concealed dependency that fetched a heavily obfuscated 2.3‑megabyte payload masquerading as an initialization module. Once executed, the payload leveraged the Bun JavaScript runtime to systematically harvest security keys, passwords, SSH files and cloud service credentials from the developer’s local environment, targeting AWS, Google Cloud Platform, Kubernetes and HashiCorp Vault. The malware then propagated itself as a self‑replicating worm, publishing copies to other projects while spoofing its activity as automated commits originating from the Anthropic Claude bot, and it generated a new registry token containing a ransom note that threatened a destructive wipe if the victim attempted to revoke the compromised access. To maintain persistence, the malicious code embedded itself in the configuration files of widely used developer tools such as Visual Studio Code and Anthropic’s Claude Code, ensuring execution whenever a project was opened or an AI coding session started. Stored data was exfiltrated via the Session messaging app, which disguises the traffic as ordinary encrypted chat on a decentralized network, thereby avoiding traditional command‑and‑control detection mechanisms.

The compromised versions of TanStack’s React Router package, which records more than twelve million weekly downloads, were distributed alongside hundreds of other open‑source libraries including UiPath and MistralAI, amplifying the reach of the intrusion into enterprise build pipelines and developer workstations. Although TanStack’s security team confirmed that all malicious versions were removed from the registry and stated there was no evidence that registry passwords had been stolen, the incident prompted experts to advise anyone who had downloaded the affected tools on the day of the release to change all associated cloud, server and developer credentials, including those for Amazon Web Services, Google Cloud and GitHub. Researchers attributed the campaign to TeamPCP, a cloud‑focused cybercriminal group that emerged in late 2025 and has previously been linked to the original Shai Hulud malware, noting the group’s expertise in automating supply‑chain attacks, manipulating Docker and Kubernetes environments, concealing stolen data as anonymous messaging traffic and employing extortion tactics that threaten system erasure. The attackers succeeded in bypassing two‑factor authentication and attaching cryptographically valid provenance signatures to the tainted packages, which verified the packages’ origin from legitimate continuous integration pipelines while failing to detect that those pipelines themselves had been subverted to authorize the malicious code. Security observers reported that the malware exhibited very limited community spread and had not been observed propagating widely beyond the initial compromised versions.
In response, TanStack publicly announced that its security teams had pulled all compromised software versions from the package registry and continued to monitor for any residual artifacts. The company’s statement emphasized that the incident underscored a systemic vulnerability in automated software publishing, where verification of provenance does not guarantee the integrity of the code itself. While no centralized kill switch exists for this class of attack, the response focused on remediation of the affected package versions and credential rotation for potentially impacted environments. Researchers noted that the attack’s stealth relied on exploiting trusted developer tooling directories and session‑based exfiltration, highlighting the challenge of detecting malicious code that rides the trust placed in widely used open‑source dependencies. The narrative of the incident remains confined to the facts presented in the source material, with no further speculation or advisory content added.
