Skip to main content

Shai-Hulud-Style npm Worm Hits @tanstack

May 12, 2026

NPM packages tied to @tanstack, @mistralai, @uipath, @squawk, and safe-action were compromised in a coordinated release, using a drop-and-execute flow to steal GitHub credentials and cloud secrets during installation. The update matters to enterprise IT and security teams because it combines credential theft with automated propagation across npm publishers.

Research Overview

The vendor describes a supply-chain compromise affecting npm packages published under multiple namespaces, beginning with @tanstack/history versions 1.161.9 and 1.161.12. The report characterizes the activity as using a classic drop-and-execute pattern to run an infostealer and then leverage harvested credentials to publish further malicious packages.

The post also compares the behavior to past Shai-Hulud-style compromises and to a recently cited [email protected] incident, describing the package outcomes as resembling worm-like propagation through credential reuse.

Key Findings

According to the blog, compromised packages execute an installation-time script that downloads the Bun runtime from GitHub, then runs a payload that harvests GitHub credentials. The same execution also reaches a lookalike domain, git-tanstack.com, for command-and-control.

The blog states that the activity includes targeting cloud environments by querying AWS instance metadata and then attempting to move from instance role credentials to broader access using AWS tooling and endpoints across multiple regions. It adds that the Bun binary self-deletes after execution to limit forensic traces.

Technical Breakdown

The vendor’s described flow begins during npm install when a compromised package runs a script that fetches Bun from codeload.github.com and executes tanstack_runner.js via bun run. The payload then uses an gh auth token to collect GitHub credentials.

For control, the payload contacts git-tanstack.com, described as a lookalike domain intended to blend into legitimate tanstack.com traffic. For cloud reach, the blog says it queries AWS IMDS, walks across STS and SSM endpoints, and attempts escalation from instance role credentials into wider AWS account access via Session Manager.

Affected Packages

The blog enumerates affected versions across @tanstack, including @tanstack/history (1.161.9, 1.161.12), @tanstack/react-router (1.169.5, 1.169.8), and additional @tanstack packages such as @tanstack/router-core (1.169.5, 1.169.8) and @tanstack/start-client-core (1.168.5, 1.168.8). It also lists multiple versions for @tanstack/* router, start, devtools, and adapters.

The post further lists compromised packages under @mistralai (including @mistralai/mistralai versions 2.2.2, 2.2.3, 2.2.4), @uipath (including @uipath/cli 1.0.1), and @squawk (including @squawk/mcp 0.9.1 through 0.9.4 and other named modules). It includes safe-action versions 0.8.3 and 0.8.4.

Operational Impact

The vendor indicates that the multi-namespace wave included releases published across more than 50 packages, and it describes the pattern as similar to earlier incidents where credentials enabled automated publishing of additional infected packages. The blog states that this publishing behavior suggests another wave of infected packages is likely incoming.

The post advises organizations that installed any of the affected versions to check for suspicious activity, rotate GitHub credentials, and audit AWS credentials accessible from machines where the packages were installed.

This blog summary reports a Shai-Hulud-style npm compromise affecting multiple package namespaces, describing install-time infostealer behavior that harvests GitHub credentials and then attempts AWS credential escalation and further malicious publishing. Blog Signals brief is a fact-based summary of the vendor blog.