Mini Shai-Hulud Supply Chain Attack: @tanstack/react-router npm Packages Compromised

TeamPCP's Mini Shai-Hulud campaign published 84 malicious versions across 42 @tanstack npm packages on May 11 2026, including @tanstack/react-router. The self-propagating worm stole credentials via OIDC memory extraction, poisoned GitHub Actions caches, and carried valid SLSA Build Level 3 provenance. Here is the full technical breakdown.

What Happened

On May 11, 2026, between 19:20 and 19:26 UTC, threat actor group TeamPCP published 84 malicious versions across 42 @tanstack packages on npm — including @tanstack/react-router, one of the most widely used routing libraries in the React ecosystem with over 13 million weekly downloads. The attack, dubbed Mini Shai-Hulud, was detected roughly 20 minutes later by researcher ashishkurmi from StepSecurity. The TanStack team moved quickly to revoke push permissions and deprecate all affected versions.

This is not an isolated incident. TeamPCP previously compromised Aqua Security’s Trivy scanner in March 2026 and the Bitwarden CLI npm package in April 2026. Mini Shai-Hulud is a coordinated, multi-month supply chain campaign — and the tanstack attack is its largest strike yet.

Affected Packages and Versions

The following @tanstack/react-router versions are confirmed malicious:

@tanstack/react-router  1.169.5
@tanstack/react-router  1.169.8Code language: CSS (css)

The broader campaign spans 42 @tanstack packages and 169 npm packages total across TanStack, UiPath, Squawk, and Mistral AI — 373 malicious package-version entries in total. The safe @tanstack families (not affected) include: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store.

How the Attack Works: Three-Stage Chain

Stage 1 — Pwn Request (Pull Request Target Misconfiguration)

The attacker opened a pull request that exploited a pull_request_target workflow misconfiguration in bundle-size.yml. This GitHub Actions pattern allows fork-controlled code to run in the base repository’s security context — giving the attacker access to secrets and CI/CD credentials without any elevated permissions on the repository itself.

Stage 2 — GitHub Actions Cache Poisoning

Once inside the base repo’s context, the attacker injected a 1.1 GB malicious pnpm package store cache entry. GitHub Actions caches are scoped per-repository and shared across pull_request_target runs — meaning the poisoned cache persisted and was later consumed by the legitimate release pipeline when it ran on the main branch. The malicious cache went undetected for approximately 8 hours.

Cache key: Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11

Stage 3 — OIDC Token Memory Extraction

During the build phase, the malicious code read the GitHub Actions OIDC token directly from runner memory via /proc/{pid}/mem — targeting the Runner.Worker process and matching JSON objects of the form {"value":"...","isSecret":true}. This technique was previously documented in the March 2025 tj-actions compromise. The stolen OIDC token granted direct authentication to the npm registry, enabling the attacker to publish packages as the legitimate TanStack team.

The Malicious Payload

The attack deployed two primary files:

  • router_init.js (~2.3 MB, three layers of obfuscation) — SHA-256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
  • tanstack_runner.js — distributed as a malicious optionalDependencies entry pointing to attacker-controlled GitHub commit 79ac49ee via @tanstack/setup, executed via the prepare lifecycle hook on install.

The payload harvested credentials from 100+ file paths, including:

  • GitHub tokens, SSH keys, npm auth tokens
  • AWS credentials and EC2 instance metadata
  • Google Cloud and Kubernetes service account files
  • HashiCorp Vault tokens
  • Cryptocurrency wallet configs
  • AI tool configs including Claude Code session histories and API keys
  • .env files across the filesystem

Stolen data was exfiltrated via the Session P2P encrypted messaging network and GitHub GraphQL API “dead-drops” for C2 communication.

Why This Attack Is Historically Significant

Mini Shai-Hulud represents several firsts in npm supply chain attacks:

  • First self-propagating npm worm: After stealing GitHub and npm tokens, the malware automatically enumerates all packages the victim maintains, injects the malicious @tanstack/setup dependency, bumps version numbers, and publishes new compromised versions under the victim’s account — spreading autonomously.
  • Valid SLSA Build Level 3 provenance: Because the attack hijacked the legitimate CI/CD pipeline, the malicious packages carry valid SLSA provenance attestations. This proves that provenance verification alone cannot guarantee supply chain safety if CI/CD workflows are compromised.
  • Deadman’s switch: npm tokens were created with the description IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner — and the malware backs this threat up with a credential-linked persistence hook that destroys the home directory if the token is revoked.

Indicators of Compromise (IOCs)

File Artifacts

router_init.js   SHA-256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
tanstack_runner.js
Suspicious optionalDependencies → github:tanstack/router#79ac49eeCode language: PHP (php)

Network IOCs

filev2.getsession.org
seed1.getsession.org
seed2.getsession.org
seed3.getsession.org
api.masscan.cloud
Pattern: ***.getsession[.]orgCode language: CSS (css)

GitHub Artifacts

Commits authored by: claude@users.noreply.github.com
GitHub accounts: voicproducoes (created March 2026), zblgg
C2 beacon tokens: thebeautifulmarchoftime, thebeautifulsandsoftime
Malicious npm token description: IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwnerCode language: CSS (css)

Remediation Steps

Critical: Disable the deadman’s switch BEFORE rotating any credentials — revoking tokens while the persistence hook is active will trigger home directory destruction.

  1. Audit ~/.claude/ and ~/.vscode/ for malicious hooks and remove them
  2. Remove any systemd services or LaunchAgents added by the malware
  3. Rotate credentials in order: npm tokens → GitHub PATs → AWS → GCP → Kubernetes → Vault → SSH keys
  4. Block *.getsession.org and api.masscan.cloud at DNS level
  5. Search all lockfiles (package-lock.json, pnpm-lock.yaml) for affected @tanstack namespaces
  6. Audit recent publish activity across all npm packages you maintain
  7. Review all commits authored by [email protected] in your repos
  8. Pin OIDC configurations to specific workflows and branches
  9. Implement a 7+ day release-age cooldown before deploying new dependencies to production

CVE Reference

CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx

Conclusion

The Mini Shai-Hulud campaign targeting @tanstack/react-router is a watershed moment for open source supply chain security. It demonstrates that even projects with rigorous CI/CD pipelines, two-factor authentication, and SLSA provenance attestations are vulnerable when GitHub Actions workflows are not hardened against pull_request_target abuse and cache poisoning. The self-propagating worm capability means every compromised maintainer account potentially becomes a new infection vector.

If you have installed any @tanstack/react-router version between 1.169.5 and 1.169.8 in the last week, treat your environment as compromised and follow the remediation steps above immediately.

Sources: Socket.dev, Aikido Security, StepSecurity, Snyk, Semgrep, TanStack official postmortem.