TanStack NPM Packages Credential-Stealing Malware Published via Compromised GitHub Actions OIDC Trust

A supply chain attack was executed on May 11, 2026, targeting 42 different @tanstack/* packages. The attacker exploited a misconfiguration in the GitHub Actions workflow, specifically in the pull_request_target event, to publish malicious versions of these packages to the npm registry. This was done by poisoning the GitHub Actions cache and extracting the OIDC token from the Actions runner, allowing the attacker to publish malware under a trusted identity. The published malware is designed to steal credentials from various sources, including cloud metadata services and GitHub tokens, and exfiltrate them using an encrypted dead-drop method.

Impact

The published malware executes a payload that harvests credentials from multiple sources, including cloud metadata services, GitHub tokens, SSH keys, and other sensitive locations. This stolen data is then exfiltrated over an encrypted network, with no direct control for the attacker, making it difficult to block the outgoing data. Additionally, the attack propagates the compromise across npm by injecting the same malware into packages that the victim maintains.

Reproduction

The vulnerability can be reproduced by publishing a package to the npm registry using a GitHub Actions workflow that has been compromised to include malicious code. This code must be obfuscated and designed to run at install time, such as by using a fictitious npm package dependency that resolves to a malicious GitHub commit. The published package must then be installed in a way that executes the malicious code, such as by using npm, pnpm, or Yarn.

Remediation

Developers should immediately rotate any credentials that were accessible during the installation of the compromised packages. It is also recommended to audit cloud audit logs for any activity from affected hosts during the attack window.