{ "Event": { "analysis": "1", "date": "2026-05-11", "extends_uuid": "", "info": "[Threat Intel] TanStack npm Packages Compromised in Ongoing Supply-Chain Attack", "protected": false, "publish_timestamp": "1779547155", "published": true, "threat_level_id": "2", "timestamp": "1779547154", "uuid": "6f0fb181-17f2-47c8-b4ce-24d302f8d931", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#0ee843", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Instance Metadata API - T1552.005\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#5c57c8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Windows Service - T1543.003\"", "relationship_type": "" }, { "colour": "#474886", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Linker Hijacking - T1574.006\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#08221e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Application Access Token - T1528\"", "relationship_type": "" }, { "colour": "#7ffc24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Additional Cloud Credentials - T1098.001\"", "relationship_type": "" }, { "colour": "#12d28f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1087.004\"", "relationship_type": "" }, { "colour": "#83203e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Account - T1136.003\"", "relationship_type": "" }, { "colour": "#4a87cb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Image - T1204.003\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#08b028", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Asymmetric Cryptography - T1573.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#5300bd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Access Token - T1550.001\"", "relationship_type": "" }, { "colour": "#37c019", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Cloud Accounts - T1078.004\"", "relationship_type": "" }, { "colour": "#3b4369", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Container API - T1552.007\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Shai-Hulud\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778641212", "to_ids": false, "type": "link", "uuid": "a001b167-d4b7-4fba-9d0e-141305d01674", "value": "https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1778641212", "to_ids": false, "type": "text", "uuid": "887a27b4-d941-4b47-952c-84928abc04f1", "value": "Socket detected 84 compromised TanStack npm package artifacts modified with credential-stealing malware targeting CI systems, including GitHub Actions. Affected packages like @tanstack/react-router have over 12 million weekly downloads. The malicious versions contain router_init.js, a heavily obfuscated file with daemonization capabilities and environment variable access for GitHub Actions secrets. The compromise exploited GitHub Actions cache poisoning and pull_request_target patterns to extract OIDC tokens and authenticate malicious npm publishes through trusted-publisher bindings. The malware harvests credentials from GitHub Actions, AWS (IMDS, Secrets Manager, SSM), HashiCorp Vault, and Kubernetes, while establishing persistence in Claude Code and VS Code directories. Exfiltration occurs through Session's decentralized P2P network. The campaign includes self-propagation mechanisms that steal npm OIDC tokens and autonomously republish compromised packages. Updates indicate expansion to OpenSearch, Mistr..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1778641212", "to_ids": false, "type": "text", "uuid": "8ce9e419-5b7d-4522-8a6c-25df71cda429", "value": "Name: TanStack npm Packages Compromised in Ongoing Supply-Chain Attack\nAuthor: AlienVault\nAdversary: TeamPCP\nTags: [\"github actions\", \"supply-chain attack\", \"session p2p network\", \"oidc token theft\", \"credential stealer\", \"npm compromise\", \"ci/cd targeting\", \"router_init.js\", \"router_runtime.js\", \"mini shai-hulud\", \"tanstack_runner.js\"]\nTgtd countries: []\nMlwr families: [\"router_init.js\", \"tanstack_runner.js\", \"router_runtime.js\"]\nAttack_ids: [\"T1059.007\", \"T1552.005\", \"T1036.005\", \"T1543.003\", \"T1574.006\", \"T1552.001\", \"T1528\", \"T1098.001\", \"T1087.004\", \"T1136.003\", \"T1204.003\", \"T1195.002\", \"T1573.002\", \"T1071.001\", \"T1105\", \"T1550.001\", \"T1078.004\", \"T1552.007\"]\nIndustries: [\"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1778641212", "to_ids": false, "type": "threat-actor", "uuid": "56540b84-4663-4318-835c-1b067651025d", "value": "TeamPCP" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:17/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779547154", "to_ids": true, "type": "sha1", "uuid": "23a9934a-12fa-4b5c-a8a6-1cd343161d43", "value": "79ac49eedf774dd4b0cfa308722bc463cfe5885c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779001015", "to_ids": true, "type": "domain", "uuid": "dba88edc-4a40-4e22-8540-5f4c2d41be8b", "value": "git-tanstack.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779001036", "to_ids": true, "type": "url", "uuid": "2b42c2f3-f696-451a-8c20-46c1c038ec57", "value": "https://git-tanstack.com/transformers.pyz", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1779001057", "to_ids": true, "type": "url", "uuid": "9ddfbb3d-05da-4ba0-9f63-74ceccccc012", "value": "http://filev2.getsession.org/file/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DO NOT BLOCK - AWS EC2 IMDSv2 token acquisition", "deleted": false, "disable_correlation": false, "timestamp": "1779001080", "to_ids": true, "type": "url", "uuid": "43dfe317-f1e8-4128-891b-d06f0b1fb251", "value": "http://169.254.169.254/latest/api/token", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DO NOT BLOCK - WS ECS Task Metadata Endpoint credential harvest", "deleted": false, "disable_correlation": false, "timestamp": "1779001101", "to_ids": true, "type": "url", "uuid": "e9400096-a9d2-4315-a8b9-7be8682f264e", "value": "http://169.254.170.2", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DO NOT BLOCK - GitHub REST API \u2014 secrets enumeration and repo manipulation", "deleted": false, "disable_correlation": false, "timestamp": "1779001122", "to_ids": true, "type": "url", "uuid": "bbf86d1f-b7cf-44cb-bb83-3fdd3ca77a34", "value": "https://api.github.com/repos/", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "DO NOT BLOCK - npm token validation", "deleted": false, "disable_correlation": false, "timestamp": "1779001143", "to_ids": true, "type": "url", "uuid": "b2ea3990-d8d3-44ba-92db-62c3f655b172", "value": "https://registry.npmjs.org/-/npm/v1/tokens", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547150", "uuid": "3bc11890-58ed-44d9-9177-48b5732ca779", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547149", "to_ids": true, "type": "md5", "uuid": "d89a467b-970e-44ec-ba27-2b9c22e7ef96", "value": "833fd59ebe66a4449982c6d18db656b4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547149", "to_ids": true, "type": "sha1", "uuid": "5907f3aa-45a7-48a7-99ea-49bc5dd8abd5", "value": "12ed9a3c1f73617aefdb740480695c04405d7b4b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547150", "to_ids": true, "type": "sha256", "uuid": "43141384-f9fa-4b96-89b7-d833d28cf2f6", "value": "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778997124", "to_ids": true, "type": "ssdeep", "uuid": "7bbff539-1405-445b-a390-7bd0f9bc83e8", "value": "49152:+4uRIKCnhiCJndm+8I3N2vfiQPIDPsMTNC1PZXCSpcyKaHeBirVYpgaontsN/97o:M4M" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778997124", "to_ids": false, "type": "size-in-bytes", "uuid": "de48444c-441e-4c0b-978b-2bcfcad28211", "value": "2341681" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778997124", "to_ids": true, "type": "vhash", "uuid": "34fca1db-7e0e-40fa-b8f3-e2536db24697", "value": "dd8def2ec991ea082ca7d61fc1426ffc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778997124", "to_ids": true, "type": "filename", "uuid": "b072cef5-955e-4dd3-bcd5-822c70de5058", "value": "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c.js" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 16/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778997124", "to_ids": false, "type": "text", "uuid": "38f15f39-bfa7-48fc-99bd-c1367000b720", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/MiniShai.BB\nVT Total Detection:35/61\nFirst Submission:2026-05-12T06:06:46.000000+00:00\nLast Submission:2026-05-14T02:55:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779547152", "uuid": "843fc833-f650-4b42-ac29-3477d407cbe2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779547152", "to_ids": true, "type": "md5", "uuid": "e67217f3-818a-42c9-950e-17274a770eac", "value": "b82e54923f7e440664d2d75bd31588ca", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779547152", "to_ids": true, "type": "sha1", "uuid": "90610dc4-d298-4b68-b9ed-73ba58e4220e", "value": "e7d582b98ca80690883175470e96f703ef6dc497", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779547152", "to_ids": true, "type": "sha256", "uuid": "72045212-c988-4c37-a67c-fa22586d3e3b", "value": "2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#220082", "local": false, "name": "rectifyq:samples-found-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778997146", "to_ids": true, "type": "ssdeep", "uuid": "d88d5abe-8c9c-44b7-adae-5712feb0aa36", "value": "49152:e126CoQ9JTiMDR/mWcMAsiaFD0eppIbfgvL7PiN8vds8KnHqvJOQHu/toKg4ae1X:Mp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778997146", "to_ids": false, "type": "size-in-bytes", "uuid": "034c43f5-6da9-4ee2-8bed-de673f541d4b", "value": "2339346" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778997146", "to_ids": true, "type": "vhash", "uuid": "eea37a8b-0f13-4dbd-84b2-f7e3ecf7591b", "value": "ef6433bf70047acfd9321c13727adadc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778997146", "to_ids": true, "type": "filename", "uuid": "278cbfd9-f7d3-4e15-a0e5-a78dda74506e", "value": "router_init.js" }, { "category": "Other", "comment": "Checked: 17/05/2026\nLast-scan\t: 15/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778997146", "to_ids": false, "type": "text", "uuid": "adf3d60f-9742-4d1f-92ae-7c35ead4b0fe", "value": "Type Description: JavaScript\nMicrosoft: Trojan:JS/Malgent.LTSN!MTB\nVT Total Detection:38/61\nFirst Submission:2026-05-11T21:44:47.000000+00:00\nLast Submission:2026-05-15T07:37:16.000000+00:00" } ] } ] } }