An attacker poisoned 84 TanStack npm versions across 42 packages, stealing GitHub OIDC tokens and cloud keys while planting a dead-man’s switch that nukes your system.
The attacker’s timing was specific. A fork, a hidden commit, a zero-diff pull request, and then nothing visible for nearly eight hours.
On May 11, between 19:20 and 19:26 UTC, 84 malicious versions spread across 42 official @tanstack npm packages hit the registry. According to @IntCyberDigest on X, @tanstack/react-router alone pulls more than 12 million weekly downloads. That is what made it the right target.
The Credential Sweep Nobody Saw Coming
The payload, a roughly 2.3 MB obfuscated file called router_init.js, ran the moment a developer or CI pipeline executed npm install. AWS IMDS, GCP metadata, Kubernetes service-account tokens, Vault tokens, SSH private keys. It went through all of them.
TanStack maintainer Tanner Linsley confirmed the entire team had 2FA enabled. Per the postmortem published on tanstack.com, none of it mattered. The attack chain did not need npm credentials at all.
Exfiltration ran through the Session/Oxen messenger network, specifically filev2.getsession.org and seed1 through seed3.getsession.org. End-to-end encrypted. No attacker-controlled command-and-control server to block by IP. The npm worm stealing crypto keys playbook, adapted and upgraded.
How a Zero-Diff PR Poisoned the Entire Release Pipeline
The setup started a day earlier. A fork of TanStack/router, renamed github.com/zblgg/configuration to dodge fork-list searches, received a malicious commit on May 10 at 23:29 UTC. Fabricated identity: claude@users.noreply.github.com. Not the Anthropic product. A made-up email.
PR #7378 opened the next morning. The pull_request_target workflow trigger, a long-documented dangerous pattern, ran benchmark jobs using the fork’s code. That was enough.
The poisoned pnpm store cache got saved under the exact key release.yml would look for later. The attacker then force-pushed the PR back to a zero-file no-op and closed it. Cache persisted. Researcher Adnan Khan documented this class of attack in 2024. The attacker lifted the technique almost verbatim, attribution comment included.
When maintainer Manuel later merged an unrelated PR pushing a CSS.supports fix to main, the release workflow fired and restored the poisoned cache. GitHub credentials harvested through the same GitHub-based credential theft method seen in prior campaigns.
The Dead-Man’s Switch
Researcher carlini, posting on GitHub issue #7383, flagged something else inside the payload. A script installed as a systemd service on Linux and a LaunchAgent on macOS, polling api.github.com every 60 seconds with the stolen token. If that token gets revoked, the script runs rm -rf. Your home directory, gone.
“Please be careful when revoking tokens,” carlini wrote in the thread. Left it at that.
Security researcher ahmadnassri noted on the tracking issue that socket.dev was tracking 84 individual @tanstack PURLs plus the worm propagating to 200 or more other packages.
The OIDC Trick That Made It All Look Clean
The poisoned versions carried valid cryptographic provenance. The publish came through GitHub Actions’ OIDC trusted-publisher binding for TanStack/router’s release workflow. To npm, the packages looked identical to anything Linsley would have shipped himself.
This is the part that rattles defenders. The payload did not need anyone’s npm token. It minted a publish-capable OIDC token by reading runner memory directly, locating the GitHub Actions Runner.Worker process through /proc entries and dumping it. Same Python script used in the tj-actions/changed-files compromise of March 2025.
@IntCyberDigest described it on X as the first documented npm worm shipping with a valid, signed certificate of authenticity.
Detection came from outside. Researcher ashishkurmi, working for StepSecurity, flagged it publicly within 20 minutes of the malicious publish. Carlini filed a report to npm directly moments before the GitHub issue went up.
Packages confirmed clean: @tanstack/query, @tanstack/table, @tanstack/form, @tanstack/virtual, @tanstack/store. Everyone who installed an affected package on May 11 should rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials immediately.
The team has since deprecated all 84 versions and engaged npm security to pull tarballs from the registry.
