Cache-Poisoning Attack on TanStack npm Packages Unleashes Credential-Theft Malware with Disk-Wipe Kill Switch

An attacker published 84 malicious versions of official TanStack npm packages on May 11, 2026, in a supply-chain attack that steals credentials, SSH keys, crypto wallets, and shell history from infected systems. The attack is part of the ongoing Mini Shai-Hulud campaign, which has also compromised packages for OpenSearch, Mistral AI, UiPath, and Guardrails AI. Supply-chain security firm Socket reported that the malicious TanStack packages were published between 19:20 and 19:26 UTC, and the attack was detected and reported within 30 minutes by StepSecurity, triggering incident response and npm deprecation.

The attack exploited a GitHub Actions cache-poisoning variant of a known 2024 vulnerability. TanStack founder Tanner Linsley published a postmortem describing how the attacker used a malicious commit on a fork to create a pull request on the TanStack repository, causing scripts to auto-run and build the malware. This poisoned the GitHub Actions cache, and the malware then extracted the npm OpenID Connect (OIDC) token—used for trusted npm publishing—from runner memory using the same technique used to compromise tj-actions in an attack last year. No TanStack maintainers were compromised.

StepSecurity's detailed analysis revealed that the payload "reads files from over 100 hardcoded paths," including those containing cloud credentials, SSH keys, developer tool configuration files, crypto wallets, VPN configurations, messaging credentials, and shell history. Shell history may contain tokens and passwords pasted into the terminal. Security researcher Nicholas Carlini warned that the payload "installs a dead-man's switch… as a system user service." The service checks whether a stolen GitHub token has been revoked and, if it has, runs a command to wipe the local disk completely.

GitHub published a security advisory at 21:30 UTC, including a list of affected packages. GitHub's advisory suggests "any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised." Socket's write-up includes recommended actions such as rotating all secrets on any affected system. The Mistral AI package has also been reported on GitHub, and at the time of writing, the Mistral AI project is quarantined on PyPI.

This attack confirms again that running everyday commands like npm install is unsafe, that major package repositories including npm and PyPI are still not secured, and that software development is now best done in isolated, ephemeral environments. The attack is still evolving and will likely have a far-reaching impact across the software supply chain.

The attack has now ballooned to over 320 @antv NPM packages, with Microsoft confirming the maintainer account 'atool' (which also publishes timeago.js with 1.5 million weekly downloads) was hijacked. Researchers from Socket report 639 malicious versions across the campaign, which now also compromises the GitHub Action actions-cool/issues-helper and the Durabletask Python SDK on PyPI. Unlike prior waves, the malware is now fetching and executing Python code from attacker infrastructure, providing ongoing remote execution on infected CI/CD environments, and dropping persistent backdoors into Claude Code.

Trend Micro's new report details the broader Shai-Hulud campaign, revealing that the self-propagating worm has compromised over 187 packages, including developer tools published by CrowdStrike. The worm uses compromised maintainer accounts and TruffleHog to find NPM publishing tokens, automatically infecting and republishing up to 20 packages per maintainer. This represents a significant escalation from the earlier Mini Shai-Hulud campaign, demonstrating automated, indiscriminate supply-chain compromise at scale.