tanstack.com
Postmortem: TanStack npm supply-chain compromise | TanStack Blog
On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on...
[!quote]+
2026-05-11 19:20 至 19:26 UTC 期间,一名攻击者通过结合以下方式在 42 个 @tanstack/* npm 软件包中发布了 84 个恶意版本:pull_request_target "Pwn Request "模式、跨越 fork<->base 信任边界的 GitHub Actions 缓存中毒,以及从 GitHub Actions runner 进程中提取 OIDC 令牌的运行时内存。没有 npm 令牌被盗,npm 发布工作流本身也未受到攻击。
为 stepsecurity 工作的外部研究人员 ashishkurmi 在 20 分钟内公开检测到了这些恶意版本。所有受影响的版本都已被弃用;npm 安全部门已开始从注册表中删除压缩包。我们没有证据表明 npm 凭据被盗,但我们强烈建议任何在 2026-05-11 安装受影响版本的人,轮换 AWS、GCP、Kubernetes、Vault、GitHub、npm 和安装主机可访问的 SSH 凭据。
Cyber Security News – 12 May 26
84 TanStack npm Packages Hacked in Ongoing Supply-Chain Attack Targeting CI...
A significant supply-chain compromise affecting 84 npm package artifacts across the TanStack namespace.
Est. reading time: 3 minutes
Snyk – 11 May 26
TanStack npm Packages Hit by Mini Shai-Hulud | Snyk
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token...
Socket
TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud...
Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.
3 个帖子 - 2 位参与者