Full Report
Six-minute supply chain blitz pushed 84 malicious versions with credential theft and disk-wiping code
Analysis Summary
# Incident Report: TanStack Supply Chain Compromise (GitHub Cache Poisoning)
## Executive Summary
In a rapid six-minute window, an attacker compromised the TanStack npm ecosystem by poisoning GitHub Actions caches through a malicious Pull Request. The breach resulted in the publication of 84 malicious package versions containing sophisticated malware designed for credential theft, self-propagation, and a "dead-man's switch" disk-wiping payload. The incident highlights a critical vulnerability in trusted publishing workflows and the ongoing risks of CI/CD cache poisoning.
## Incident Details
- **Discovery Date:** May 11, 2026, ~19:50 UTC
- **Incident Date:** May 11, 2026 (19:20 – 19:26 UTC)
- **Affected Organization:** TanStack (and broader npm/PyPI ecosystems)
- **Sector:** Information Technology / Open Source Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 11, 2026, 19:20 UTC
- **Vector:** GitHub Actions Cache Poisoning via Malicious Forked Pull Request.
- **Details:** The attacker submitted a pull request from a forked repository. Malicious scripts auto-ran upon PR creation, poisoning the build cache with a variant of a known 2024 GitHub Action vulnerability.
### Lateral Movement
- **Technique:** OIDC Token Extraction.
- **Details:** The attacker used a poisoned cache to extract an npm OpenID Connect (OIDC) token from the GitHub Actions runner memory. This allowed the attacker to impersonate the official TanStack build process and publish packages without needing maintainer credentials.
### Data Exfiltration/Impact
- **Details:** 84 malicious versions of TanStack packages were pushed to npm. The payload targeted over 100 hardcoded paths to steal cloud credentials, SSH keys, crypto wallets, VPN configs, and shell history.
### Detection & Response
- **Discovery:** Detected by StepSecurity and reported via GitHub Issues within 30 minutes of the first malicious publication.
- **Response:** npm deprecated the affected versions; GitHub issued a security advisory (GHSA-g7cv-rxg3-hmpx) at 21:30 UTC. Affected projects on PyPI (e.g., Mistral AI) were quarantined.
## Attack Methodology
- **Initial Access:** Malicious PR from a forked repo triggering automated CI workflows.
- **Persistence:** Installation of a persistent "dead-man's switch" system user service.
- **Privilege Escalation:** Extraction of high-privilege OIDC tokens from CI runner memory.
- **Defense Evasion:** Use of trusted CI/CD pipelines to sign and publish "official" packages.
- **Credential Access:** Scraping `~/.ssh`, `~/.aws`, shell history, and messaging app data.
- **Lateral Movement:** Self-propagation capabilities embedded in the malware.
- **Exfiltration:** Automated upload of stolen secrets to attacker-controlled infrastructure.
- **Impact:** Disk-wiping command triggered if the attacker's stolen GitHub token was revoked.
## Impact Assessment
- **Financial:** High potential (theft of crypto wallets and cloud access).
- **Data Breach:** Extensive theft of developer secrets, SSH keys, and environment variables.
- **Operational:** Disruption to thousands of builds; requirement for full system wipes and secret rotations.
- **Reputational:** Significant blow to the "trusted publishing" model used by npm and GitHub.
## Indicators of Compromise
- **File Indicators:** Malicious versions of packages (e.g., `@tanstack/react-query` versions published between 19:20-19:26 UTC).
- **Behavioral Indicators:** Creation of a hidden system user service; unexpected outbound network traffic from CI runners or developer machines to unauthorized endpoints.
- **OIDC/Tokens:** Unexpected npm registry activity using OIDC tokens outside of standard release windows.
## Response Actions
- **Containment:** Rapid deprecation of 84 npm package versions.
- **Eradication:** Quarantining affected PyPI projects (Mistral AI).
- **Recovery:** Public advisory issued to developers to rotate all secrets and consider local environments compromised.
## Lessons Learned
- **Caches are Attack Vectors:** GitHub Actions caches can be poisoned by external PRs if not strictly isolated.
- **The "Trusted" Fallacy:** Even official packages from reputable maintainers can be compromised without the maintainer's account being hacked.
- **OIDC Risks:** OIDC tokens in runner memory are high-value targets that require modern memory protections.
## Recommendations
1. **Rotate All Secrets:** Any developer who ran `npm install` for TanStack on May 11, 2026, must rotate SSH keys, AWS/Cloud tokens, and VPN credentials.
2. **Isolate CI Builds:** Configure GitHub Actions to prevent PRs from forks from accessing or writing to the primary cache.
3. **Use Ephemeral Environments:** Perform software development and testing in isolated containers or disposable VMs to limit the impact of disk-wiping payloads.
4. **Audit OIDC Permissions:** Implement the "least privilege" principle for OIDC tokens to ensure they can only publish specific packages.