TanStack npm Packages Backdoored in 6-Minute Supply Chain Blitz

TeamPCP struck again on May 11, 2026, publishing 84 malicious versions across 42 TanStack npm packages in a six-minute window. The attack—tracked as CVE-2026-45321 with a CVSS score of 9.6—chained three distinct vulnerabilities in GitHub Actions to compromise one of the most popular React libraries without ever stealing npm credentials directly.

This is the same group behind the SAP npm packages compromise and PyTorch Lightning attack earlier this year. The TanStack incident affects @tanstack/react-router, which alone sees over 12 million weekly downloads—making this potentially the most impactful supply chain attack of 2026 so far.

TL;DR

• What happened: 84 malicious package versions published across 42 @tanstack/* packages between 19:20 and 19:26 UTC on May 11
• Who's affected: Any organization that installed or updated TanStack packages during the attack window
• Severity: Critical (CVSS 9.6) - credential theft plus destructive wiper component
• Action required: Check lockfiles for affected versions, remove the gh-token-monitor daemon BEFORE revoking tokens, rotate all exposed credentials

How the Attack Worked

According to Wiz Research, the attackers chained three vulnerability classes to achieve their goal:

1. Pull Request Target Exploitation: The attacker forked TanStack/router and opened a pull request. The repository's pull_request_target workflow executed attacker-controlled code from the fork, a well-known misconfiguration pattern.

2. GitHub Actions Cache Poisoning: The malicious code wrote a poisoned pnpm store to the shared Actions cache. When legitimate maintainer PRs merged to main later, the release workflow restored this poisoned cache.

3. OIDC Token Extraction: Binaries embedded in the poisoned cache read /proc/<pid>/mem from the GitHub Actions runner process, extracting OIDC tokens directly from memory. These tokens were used to authenticate npm publishes under TanStack's identity.

The entire attack—from malicious PR to published packages—took roughly six minutes. External researcher @ashishkurmi from StepSecurity detected the compromise within 20 minutes.

What the Malware Does

The payload functions as both a credential stealer and self-propagating worm. Socket Security's analysis identified two infection vectors in the published packages:

• An optionalDependencies entry pointing to a malicious fork commit
• An embedded 2.3MB obfuscated file called router_init.js

The malware targets an extensive list of secrets:

Target	What's Stolen
GitHub/GitLab/CircleCI	Actions OIDC tokens, personal access tokens
AWS/GCP/Azure	Cloud credentials via IMDSv2 and environment variables
Kubernetes	Service account tokens, kubeconfig files
HashiCorp Vault	Vault tokens and lease credentials
npm/PyPI	Package registry tokens
SSH	Private keys from ~/.ssh

The Wiper Trap

One particularly nasty feature: a persistent gh-token-monitor daemon polls GitHub every 60 seconds. If it detects token revocation, it executes rm -rf ~/ to destroy the developer's home directory. The daemon self-terminates after 24 hours.

This means organizations must remove the daemon process before revoking credentials. Security teams accustomed to "revoke first, ask questions later" incident response will need to adjust their approach. For organizations familiar with malware persistence techniques, this represents a troubling evolution in supply chain attacks.

Indicators of Compromise

File Hashes:

• router_init.js (2,341,681 bytes): SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
• setup.mjs (5,047 bytes): SHA256: 2258284d65f63829bd67eaba01ef6f1ada2f593f9bbe41678b2df360bd90d3df

Network IOCs:

• C2 Domain: git-tanstack.com
• C2 IP: 83.142.209.194
• Session Network Seed Nodes: seed1.getsession.org, seed2.getsession.org, seed3.getsession.org

Attacker GitHub Accounts:

• zblgg (ID 127806521)
• voicproducoes (ID 269549300)

Remediation Steps

1. Search for affected versions in your lockfiles and CI logs. All affected versions have been deprecated on npm.

2. Identify and kill the daemon before revoking tokens:

   ps aux | grep gh-token-monitor
   kill -9 [PID]
   

3. Rotate compromised credentials:

   • GitHub personal access tokens and Actions secrets
   • npm authentication tokens
   • AWS/GCP/Azure credentials accessible from affected hosts
   • Vault tokens and Kubernetes service accounts
   • SSH keys

4. Audit for persistence artifacts in .claude/ and .vscode/ directories.

5. Block C2 infrastructure at your DNS resolver and proxy.

Why This Matters

The TanStack attack demonstrates that supply chain compromises are becoming industrialized. TeamPCP has hit multiple major ecosystems in 2026—SAP, PyTorch, Bitwarden, Intercom—using variations of the same playbook.

The GitHub Actions cache poisoning technique is particularly concerning because it bypasses many existing supply chain security controls. Organizations that pin dependencies, require signed commits, and review PRs still fell victim because the malicious code never appeared in the repository itself—it lived in the CI cache.

The wiper component also raises the stakes. Previous supply chain attacks focused on stealth and persistence. Adding destructive capabilities to incident response triggers suggests threat actors are evolving toward more aggressive tactics.

Frequently Asked Questions

How do I know if my organization was affected? Check your package-lock.json or pnpm-lock.yaml for any @tanstack/* packages installed or updated on May 11, 2026. The npm registry has deprecated all affected versions, so npm audit should flag them.

Why can't I just revoke tokens immediately? The gh-token-monitor daemon watches for token revocation events and triggers a destructive wiper. Kill the process first, then revoke. If you've already revoked and the wiper executed, you'll need to restore from backups.

Are @tanstack/query and @tanstack/table affected? No. The query, table, form, virtual, store, and start package families were not compromised in this incident.