TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack

The Socket Threat Research team uncovered a security breach involving 84 npm packages within the tanstack namespace, where malicious code was inserted to steal credentials from CI systems like GitHub Actions. This breach, flagged quickly by Socket AI Scanner, is notable due to the high download rates of affected packages, such as @tanstack/react-router, impacting the software supply chain significantly. The attack involved complex obfuscation tactics and a specially crafted router_init.js file, which facilitated unauthorized access to CI environment secrets and allowed the compromised code to persist on developer machines. The attacker utilized a GitHub account, voicproducoes, and propagated the malicious code through npm's OIDC mechanism, disguising the attack with valid Sigstore attestations to appear legitimate. TanStack responded by deprecating affected versions, collaborating with npm security for tarball removal, and implementing workflow hardening measures. The compromise is linked to the broader Mini Shai-Hulud campaign, emphasizing the need for immediate triage and secret rotation on affected systems.