TanStack npm 공급망 공격 사후 분석 보고서

TanStack Search... K Auto Log In Start RC Start RC Router Router Query Query Table Table DB beta DB beta AI alpha AI alpha Form new Form new Virtual Virtual Pacer beta Pacer beta Hotkeys alpha Hotkeys alpha Store alpha Store alpha Devtools alpha Devtools alpha CLI alpha CLI alpha Intent alpha Intent alpha More Libraries More Libraries Builder Alpha Builder Alpha Blog Blog Maintainers Maintainers Partners Partners Showcase Showcase Learn NEW Learn NEW Stats Stats YouTube YouTube Discord Discord Merch Merch Support Support GitHub GitHub Ethos Ethos Tenets Tenets Brand Guide Brand Guide Blog On this page Postmortem: TanStack npm supply-chain compromise Copy page by Tanner Linsley on May 11, 2026. Last updated: 2026-05-11 TL;DR # On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised. The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity . All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. We have no evidence of npm credentials being stolen, but we strongly recommend that anyone who installed an affected version on 2026-05-11 rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host. Tracking issue: TanStack/router#7383 GitHub Security Advisory: GHSA-g7cv-rxg3-hmpx Impact # Packages affected # 42 packages, 84 versions (two per package, published roughly 6 minutes apart). See the tracking issue for the full table. Confirmed-clean families: @tanstack/query* , @tanstack/table* , @tanstack/form* , @tanstack/virtual* , @tanstack/store , @tanstack/start (the meta-package, not @tanstack/start-* ). What the malware does # When a developer or CI environment runs npm install , pnpm install , or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3 MB obfuscated router_init.js smuggled into the affected tarball. The script: Harvests credentials from common locations: AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, ~/.npmrc , GitHub tokens (env, gh CLI, .git-credentials ), SSH private keys Exfiltrates over the Session/Oxen messenger file-upload network ( filev2.getsession.org , seed{1,2,3}.getsession.org ) — end-to-end encrypted with no attacker-controlled C2, so blocking by IP/domain is the only network mitigation Self-propagates: enumerates other packages the victim maintains via registry.npmjs.org/-/v1/search?text=maintainer:<user> and republishes them with the same injection Because the payload runs as part of npm install's lifecycle, anyone who installed an affected version on 2026-05-11 must treat the install host as potentially compromised. Timeline # All times UTC. Local timestamps from GitHub API and npm registry. Pre-attack (cache poisoning phase) # Time Event 2026-05-10 17:16 Attacker creates fork github.com/zblgg/configuration (a fork of TanStack/router, deliberately renamed to evade fork-list searches) 2026-05-10 23:29 Malicious commit 65bf499d16a5e8d25ba95d69ec9790a6dd4a1f14 authored on the fork by fabricated identity claude <claude@users.noreply.github.com> . Adds packages/history/vite_setup.mjs (a ~30,000-line bundled JS payload). Commit message prefixed with [skip ci] to suppress CI on the push event 2026-05-11 ~10:49 PR #7378 opened against TanStack/router#main titled "WIP: simplify history build" by zblgg 2026-05-11 10:49 onwards bundle-size.yml and labeler.yml (both pull_request_target ) auto-run for the PR — no first-time-contributor approval required because pull_request_target bypasses that gate. pr.yml (which uses pull_request ) does NOT run, blocked pending approval that never came 2026-05-11 11:01–11:11 Multiple force-pushes by zblgg to the PR head, each triggering more pull_request_target runs 2026-05-11 11:11 Force-push lands 65bf499d (the malicious commit) on the PR head. bundle-size.yml 's benchmark-pr job checks out refs/pull/7378/merge , runs pnpm install + pnpm nx run @benchmarks/bundle-size:build — this executes vite_setup.mjs 2026-05-11 11:29 Cache entry Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved to GitHub Actions cache for TanStack/router , scope refs/heads/main — keyed to match what release.yml will look up on the next push to main 2026-05-11 11:31 Attacker force-pushes the PR back to current main HEAD ( b1c061af ), making the visible PR a 0-file no-op. PR closed and branch deleted in the same minute. Cache poison persists. Detonation (publish phase) # Time Event 2026-05-11 19:15 Manuel merges PR #7369 (Shkumbin's CSS.supports fix) → push to main triggers release.yml . Workflow run 25613093674 starts (19:15:44), and fails. 2026-05-11 19:20:39 npm registry receives publish for @tanstack/history@1.161.9 and 41 sibling packages (~84 versions across 42 packages, but only ~half show this exact second; the remainder come during run #2). Publish is authenticated via OIDC trusted-publisher binding for TanStack/router release.yml@refs/heads/main — but it does not come from the workflow's defined Publish Packages step, which was skipped because tests failed. It comes from the malware running during the test/cleanup phase, which mints an OIDC token via the workflow's id-token: write permission and POSTs directly to registry.npmjs.org 2026-05-11 19:20:47 Run 25613093674 completes (status: failure) 2026-05-11 19:16 Manuel merges PR #7382 (jiti tsconfig paths fix) → second push to main triggers release.yml 2026-05-11 19:16:22 Workflow run 25691781302 starts. Same poisoned cache restored 2026-05-11 19:26:14 npm registry receives publish for the second-version-per-package set ( @tanstack/history@1.161.12 etc.). Same OIDC mechanism 2026-05-11 19:26:20 Run 25691781302 completes (status: failure) Detection and response # Time Event 2026-05-11 ~19:50 External researcher ( carlini ) opens issue #7383 with a complete writeup of the malicious optionalDependencies fingerprint and the package list (initially 14 of the 42) 2026-05-11 ~19:50 Researcher notifies npm security directly 2026-05-11 ~20:00 Manuel acknowledges in #7383 — incident response begins 2026-05-11 ~20:10 Manuel removes all other team push permissions on GitHub in case of user machines have been compromised 2026-05-11 ~20:30 Tanner emails security@npmjs.com with full IOC list and request to pull tarballs registry-side. Formal malware reports are submitted via npm 2026-05-11 ~21:00 Comprehensive scan of all 295 @tanstack/* packages confirms scope: 42 packages, 84 versions. Tanner begins npm deprecation process for all 84 affected packages. Public Twitter/X/LinkedIn/Bluesky disclosure from @tan_stack and maintainers 2026-05-11 21:30 Investigation identifies bundle-size.yml pull_request_target cache-poisoning vector and the zblgg/configuration fork. All cache entries for all TanStack/* GitHub repositories purged via API. Hardening PR merged: bundle-size.yml restructured, repository_owner guards added, third-party action refs pinned to SHAs. Official GitHub Security Advisory is published, CVE requested Root cause # Three vulnerabilities chained together. Each is necessary for the attack; none alone is sufficient. 1. pull_request_target "Pwn Request" pattern in bundle-size.yml # bundle-size.yml ran pull_request_target for fork PRs and, inside that trigger context, checked out the fork's PR-merge ref and ran a build: yaml on : pull_request_target : paths : [ 'packages/**' , 'benchmarks/**' ] jobs : benchmark-pr :