TanStack npm packages compromised in supply-chain attack targeting developer and CI secrets
Summary:
A recent npm supply-chain incident affected multiple u/tanstack/* packages. Malicious versions were published to npm, and the payload reportedly executed during install.
The main risk is not only runtime usage. If a developer machine or CI runner installed an affected version, secrets available to the install process may have been exposed.
Reported targets included:
- cloud credentials
- GitHub tokens
- npm tokens
- SSH keys
- CI/deployment secrets
Practical things to check:
- lockfile versions for u/tanstack/*
- npm/pnpm/yarn install logs
- package manager cache
- CI runs during the affected publish window
- GitHub/npm/cloud audit logs
- whether lifecycle scripts were enabled during install
For affected environments, the safer assumption is that exposed credentials should be rotated and dependencies should be reinstalled from a clean lockfile after moving to patched versions.
Primary advisory:
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Public tracking issue:
https://github.com/TanStack/router/issues/7383
I also maintain NPMScan and put the affected versions, IOCs, and mitigation notes into one page here:
https://npmscan.com/vulnerability/GHSA-g7cv-rxg3-hmpx
Recent npm vulnerability feed:
https://npmscan.com/latest-vulnerabilities
The bigger question: should Node.js CI pipelines disable install scripts by default, or is that still too impractical for real projects?