{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/@tanstack/start-client-core/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["@tanstack/arktype-adapter","@tanstack/eslint-plugin-router","@tanstack/eslint-plugin-start","@tanstack/history","@tanstack/nitro-v2-vite-plugin","@tanstack/react-router","@tanstack/react-router-devtools","@tanstack/react-router-ssr-query","@tanstack/react-start","@tanstack/react-start-client","@tanstack/react-start-rsc","@tanstack/react-start-server","@tanstack/router-cli","@tanstack/router-core","@tanstack/router-devtools","@tanstack/router-devtools-core","@tanstack/router-generator","@tanstack/router-plugin","@tanstack/router-ssr-query-core","@tanstack/router-utils","@tanstack/router-vite-plugin","@tanstack/solid-router","@tanstack/solid-router-devtools","@tanstack/solid-router-ssr-query","@tanstack/solid-start","@tanstack/solid-start-client","@tanstack/solid-start-server","@tanstack/start-client-core","@tanstack/start-fn-stubs","@tanstack/start-plugin-core","@tanstack/start-server-core","@tanstack/start-static-server-functions","@tanstack/start-storage-context","@tanstack/valibot-adapter","@tanstack/virtual-file-routes","@tanstack/vue-router","@tanstack/vue-router-devtools","@tanstack/vue-router-ssr-query","@tanstack/vue-start","@tanstack/vue-start-client","@tanstack/vue-start-server","@tanstack/zod-adapter"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","credential-theft","github-actions"],"_cs_type":"advisory","_cs_vendors":["TanStack"],"content_html":"\u003cp\u003eOn 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 \u003ccode\u003e@tanstack/*\u003c/code\u003e packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for \u003ccode\u003eTanStack/router\u003c/code\u003e, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a \u003ccode\u003epull_request_target\u003c/code\u003e \u0026ldquo;Pwn Request\u0026rdquo; misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart. This supply chain attack highlights the risks of compromised CI/CD pipelines and the potential for widespread credential theft.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker exploited a \u003ccode\u003epull_request_target\u003c/code\u003e \u0026ldquo;Pwn Request\u0026rdquo; misconfiguration in the \u003ccode\u003eTanStack/router\u003c/code\u003e repository.\u003c/li\u003e\n\u003cli\u003eThe attacker performed GitHub Actions cache poisoning across the fork↔base trust boundary, injecting malicious code into the cache.\u003c/li\u003e\n\u003cli\u003eThe attacker extracted the OIDC token from the Actions runner process memory.\u003c/li\u003e\n\u003cli\u003eUsing the compromised OIDC token, the attacker published malicious versions of \u003ccode\u003e@tanstack/*\u003c/code\u003e packages to the npm registry via the legitimate GitHub Actions OIDC trusted-publisher binding.\u003c/li\u003e\n\u003cli\u003eUpon installation of a malicious package version, the \u003ccode\u003erouter_init.js\u003c/code\u003e payload (~2.3 MB obfuscated) executes.\u003c/li\u003e\n\u003cli\u003eThe payload harvests credentials from AWS, GCP, Kubernetes, HashiCorp Vault, npm, GitHub, and SSH keys.\u003c/li\u003e\n\u003cli\u003eThe harvested data is exfiltrated over the Session/Oxen messenger network to \u003ccode\u003efilev2.getsession.org\u003c/code\u003e, \u003ccode\u003eseed{1,2,3}.getsession.org\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates packages maintained by the victim and republishes them with the same injection, propagating the compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAny developer or CI environment that ran \u003ccode\u003enpm install\u003c/code\u003e, \u003ccode\u003epnpm install\u003c/code\u003e, or \u003ccode\u003eyarn install\u003c/code\u003e against an affected version on 2026-05-11 should be considered compromised. All credentials accessible to the install process, including AWS, GCP, Kubernetes, Vault, npm, GitHub, and SSH keys, should be rotated immediately. Cloud audit logs should be reviewed for activity originating from the affected hosts during and after the install window. The malicious packages also attempt to propagate the compromise to other packages maintained by the victim.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect the manifest of any pinned \u003ccode\u003e@tanstack/*\u003c/code\u003e version for the malicious \u003ccode\u003eoptionalDependencies\u003c/code\u003e entry as described in the Detection section.\u003c/li\u003e\n\u003cli\u003eBlock connections to the exfiltration domains \u003ccode\u003efilev2.getsession.org\u003c/code\u003e, \u003ccode\u003eseed1.getsession.org\u003c/code\u003e, \u003ccode\u003eseed2.getsession.org\u003c/code\u003e, and \u003ccode\u003eseed3.getsession.org\u003c/code\u003e at the network level.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules to detect the presence of the malicious \u003ccode\u003erouter_init.js\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003ePin every \u003ccode\u003e@tanstack/*\u003c/code\u003e dependency to a known-good version published before 2026-05-11 19:00 UTC, as described in the Workarounds section.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-12T00:15:59Z","date_published":"2026-05-12T00:15:59Z","id":"https://feed.craftedsignal.io/briefs/2026-05-tanstack-supply-chain/","summary":"On 2026-05-11, multiple malicious versions of `@tanstack/*` packages were published to the npm registry due to a chained attack exploiting vulnerabilities in GitHub Actions; the attacker used a compromised GitHub Actions OIDC trusted-publisher binding to publish credential-stealing malware that harvests credentials, exfiltrates data, and propagates the compromise by republishing other packages with the same injection, requiring users who installed affected versions to consider their environment compromised and rotate all credentials.","title":"Compromised @tanstack/* Packages Exfiltrate Credentials via GitHub Actions Exploit","url":"https://feed.craftedsignal.io/briefs/2026-05-tanstack-supply-chain/"}],"language":"en","title":"CraftedSignal Threat Feed — @Tanstack/Start-Client-Core","version":"https://jsonfeed.org/version/1.1"}