A self-propagating worm has torn through the TanStack JavaScript ecosystem, publishing 84 malicious versions across 42 widely used npm packages in a six-minute window — and the attack was so well engineered that the malicious packages even carried valid security provenance certificates.
Between 19:20 and 19:26 UTC on May 11, an attacker published 84 malicious versions across 42 @tanstack/* packages by chaining three techniques: a pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process.
The attack is part of a Mini Shai-Hulud campaign. The same threat group — TeamPCP — previously hit the Bitwarden CLI npm package, poisoned SAP CAP npm packages, and compromised the Lightning AI PyPI package. This time, they went after one of the most downloaded JavaScript toolkits in existence.
How It Actually Worked
The attacker created a fork of TanStack/router on May 10, 2026, using the GitHub account voicproducoes. A single malicious commit added a 2.3 MB obfuscated JavaScript payload. The attacker then opened a pull request that triggered pull_request_target workflows — a GitHub Actions trigger type that runs with base-repository permissions even for fork PRs — and used it to poison the shared Actions cache with a malicious pnpm dependency store.
When a legitimate PR was merged the next day, the release workflow restored the poisoned cache. The malicious code extracted the OIDC JSON Web Token from the runner memory by reading /proc/<pid>/maps and /proc/<pid>/mem of the Runner.Worker process, then used that token to publish directly to npm, bypassing the workflow's own publish step entirely.
Why This Is a First
In an extremely rare escalation, the compromised packages carry valid SLSA Build Level 3 provenance attestations, making this the first documented npm worm to produce malicious packages with valid attestations. In plain terms, even "verify the signature" checks would have passed. SLSA provenance only confirms which pipeline built the package — not whether that pipeline was behaving honestly.
The Worm Spread Beyond TanStack
Mini Shai-Hulud hit over 160 packages across TanStack, UiPath, Squawk, and Mistral. The worm enumerates every package a compromised maintainer publishes, injects the same payload, and republishes — autonomously. Several newly compromised packages, such as @tanstack/react-router, have over 12 million weekly downloads.
The malware steals credentials from over 100 file paths — cloud keys, SSH keys, npm tokens, GitHub tokens, cryptocurrency wallets, and even AI tool configs — and exfiltrates everything over the Session Protocol CDN and GitHub's own GraphQL API. It also installs persistence hooks in both Claude Code and VS Code that survive reboots.
Socket flagged every malicious version within six minutes of publication. External researcher Ashish Kurmi from StepSecurity opened the tracking issue with a full technical analysis within 20 minutes. TanStack creator Tanner Linsley confirmed the incident and began the deprecation process.
What You Should Do Right Now
If you ran npm install on any @tanstack/*, @uipath/*, @mistralai/*, or @draftlab/* package on May 11, treat the machine as compromised. Rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials immediately, so they are reachable from the install host.
Check for router_init.js in your node_modules, audit your GitHub Actions workflows for unexpected codeql_analysis.yml files, and do not revoke npm tokens before imaging the machine — the payload includes a destructive wipe routine triggered by revocation.
The full list of affected packages is tracked in GitHub Security Advisory GHSA-g7cv-rxg3-hmpx.