Attack Chain

1. Attacker creates a fork of a legitimate repository (e.g., TanStack/router) and renames it (e.g., zblgg/configuration).
2. Attacker opens a pull request to the original repository, triggering a pull_request_target workflow.
3. The workflow checks out and executes the attacker’s fork code.
4. The attacker’s code poisons the GitHub Actions cache with a malicious pnpm store.
5. Legitimate maintainer pull requests are merged, restoring the poisoned cache.
6. Attacker-controlled binaries extract OIDC tokens from the GitHub Actions runner’s process memory (/proc/<pid>/mem).
7. The attacker uses stolen tokens to publish malicious package versions to npm.
8. The published packages execute a credential stealer and self-propagating worm that exfiltrates data via git-tanstack[.]com, Session messenger network, and GitHub API dead drops.

Impact

The compromised npm packages can lead to the theft of sensitive credentials, including CI/CD tokens (GitHub Actions OIDC, GitLab, CircleCI), cloud credentials (AWS IMDSv2, GCP, Azure), Kubernetes service accounts, HashiCorp Vault tokens, and package registry tokens. The self-propagating worm functionality allows the attacker to further compromise other npm packages the victim has write access to. On developer machines, the malware installs a persistent gh-token-monitor daemon that polls GitHub and can wipe the home directory if a token is revoked.

Recommendation

• Search lockfiles and CI logs for affected package versions, specifically looking for router_init.js or setup.mjs at package roots (see affected packages list in this brief).
• Search for the gh-token-monitor daemon on developer machines and remove it before revoking GitHub tokens to avoid the wiper (see Attack Chain and Overview).
• Block the C2 domain git-tanstack.com and *.getsession.org at the DNS/proxy level (see IOCs).