How a supply-chain attack exploited TanStack CI workflows

A recent attack on the TanStack npm ecosystem demonstrated how supply-chain threats can exploit CI/CD pipelines, turning trusted workflows against their own maintainers. The breach, which unfolded on May 11, 2026, highlights the dangers of improperly configured GitHub Actions and the cascading impact of cache poisoning.

The attack chain: three vulnerabilities, one catastrophic outcome

The attacker initiated the exploit by opening a pull request from a throwaway fork of TanStack’s router project. While maintainers never reviewed the PR—it was closed immediately—the damage was done. The CI workflow triggered by the PR leveraged pull_request_target, a GitHub Actions feature that runs in the base repository’s privileged context without first-time contributor approval. This allowed untrusted code from the fork to execute in a trusted environment.

The malicious workflow executed a command that built a package, pnpm nx run @benchmarks/bundle-size:build, which ran attacker-controlled code. This code poisoned the pnpm cache, embedding a trojanized dependency that would later be restored during a legitimate merge. When the release workflow ran, it extracted a short-lived publish token from the runner’s memory and used it to push 84 malicious versions across 42 @tanstack/* packages in two waves, roughly six minutes apart.

The attacker’s approach was ingenious: they engineered a situation where their own CI pipeline stole its publish token at the exact moment it was created, using a cache that every subsequent step implicitly trusted.

Malware behavior: credential theft and lateral movement

Once installed via npm install, pnpm install, or yarn install, the compromised packages executed a script called router_init.js from the optionalDependencies array. This script performed several malicious actions:

• Credential harvesting: It scanned common locations for secrets, including ~/.npmrc, GitHub tokens (environment variables, gh CLI configs, .git-credentials), SSH private keys, and cloud provider credentials.

• Exfiltration via encrypted messaging: The stolen data was smuggled out using Session, an end-to-end encrypted messaging app. The traffic mimicked normal Session activity, making it difficult to detect via network monitoring. Blocking the Session domains outright is the only effective network-level mitigation.

• Self-propagating spread: The malware attempted to propagate like a worm, turning compromised maintainers into vectors for further attacks by injecting malicious code into additional packages.

Impact and scope: 84 malicious versions across 42 packages

The attack affected 42 packages, with 84 malicious versions published between 19:20 and 19:26 UTC on May 11, 2026. Affected families included @tanstack/router, @tanstack/query, @tanstack/table, @tanstack/form, @tanstack/virtual, @tanstack/store, and the @tanstack/start meta-package. Several sub-packages under @tanstack/start-* were confirmed clean.

Anyone who installed an affected version on the day of the attack should treat the installation host as potentially compromised and take immediate remediation steps.

Immediate actions: identifying and mitigating the threat

If your project depends on TanStack packages, audit your lockfiles for @tanstack/* resolutions dated May 11, 2026. Look for an optionalDependencies entry pointing to a GitHub fork commit, such as:

"optionalDependencies": {
  "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

Additionally, check for a router_init.js file in the package root. If found, follow these steps:

• Rotate all credentials: Revoke and reissue AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials accessible from the compromised host.

• Pin to safe versions: TanStack has deprecated all 84 affected versions, and npm security has removed the malicious tarballs. Update to verified versions immediately.

• Audit your CI workflows: Review any workflows using pull_request_target that check out forked code and execute it. This configuration is a well-documented security risk that has been warned about for years.

A cautionary tale for the open-source ecosystem

The TanStack compromise serves as a stark reminder of the risks posed by improperly configured CI pipelines. The pull_request_target workflow, while convenient, grants untrusted code the same privileges as trusted code—a dangerous precedent. Tools like zizmor can help audit GitHub Actions workflows for similar vulnerabilities.

Open-source maintainers and organizations must prioritize security hygiene, especially in CI/CD environments where a single misconfiguration can cascade into a supply-chain disaster. The lessons from this attack extend far beyond TanStack, urging teams to re-evaluate trust boundaries, cache integrity, and secret management in their development pipelines.