Compromised @tanstack/* Packages Exfiltrate Credentials via GitHub Actions Exploit

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target “Pwn Request” misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. This supply chain attack highlights the risks of compromised CI/CD pipelines and the potential for widespread credential theft.

Attack Chain

1. The attacker exploited a pull_request_target “Pwn Request” misconfiguration in the TanStack/router repository.
2. The attacker performed GitHub Actions cache poisoning across the fork↔base trust boundary, injecting malicious code into the cache.
3. The attacker extracted the OIDC token from the Actions runner process memory.
4. Using the compromised OIDC token, the attacker published malicious versions of @tanstack/* packages to the npm registry via the legitimate GitHub Actions OIDC trusted-publisher binding.
5. Upon installation of a malicious package version, the router_init.js payload (~2.3 MB obfuscated) executes.
6. The payload harvests credentials from AWS, GCP, Kubernetes, HashiCorp Vault, npm, GitHub, and SSH keys.
7. The harvested data is exfiltrated over the Session/Oxen messenger network to filev2.getsession.org, seed{1,2,3}.getsession.org.
8. The attacker enumerates packages maintained by the victim and republishes them with the same injection, propagating the compromise.

Impact

Any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised. All credentials accessible to the install process, including AWS, GCP, Kubernetes, Vault, npm, GitHub, and SSH keys, should be rotated immediately. Cloud audit logs should be reviewed for activity originating from the affected hosts during and after the install window. The malicious packages also attempt to propagate the compromise to other packages maintained by the victim.

Recommendation

• Inspect the manifest of any pinned @tanstack/* version for the malicious optionalDependencies entry as described in the Detection section.
• Block connections to the exfiltration domains filev2.getsession.org, seed1.getsession.org, seed2.getsession.org, and seed3.getsession.org at the network level.
• Deploy the Sigma rules to detect the presence of the malicious router_init.js file.
• Pin every @tanstack/* dependency to a known-good version published before 2026-05-11 19:00 UTC, as described in the Workarounds section.