THREATNOIR
Subscribe
Back to Feed
Supply ChainMay 11, 2026

TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply-Chain Attack

84 TanStack npm packages were compromised in a Mini Shai-Hulud supply-chain attack, stealing credentials.

Read at source

Summary

The Socket Threat Research team detected a compromise across 84 npm packages in the tanstack namespace. The packages were modified to add a credential stealer targeting CI systems, including Github Actions. The malicious publishes were authenticated through the project’s OIDC trusted-publisher binding.

Full text

Research/Security NewsMalicious NuGet Package Impersonates Sicoob SDK to Exfiltrate Banking Certificates and PasswordsA malicious NuGet package impersonating Sicoob exfiltrated client IDs, PFX passwords, and banking certificates through Sentry telemetry. By Kirill Boychenko - May 28, 2026

Indicators of Compromise

  • hash_sha256 — ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
  • hash_sha1 — 12ed9a3c1f73617aefdb740480695c04405d7b4b
  • hash_md5 — 833fd59ebe66a4449982c6d18db656b4
  • hash_sha256 — 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
  • hash_sha1 — e7d582b98ca80690883175470e96f703ef6dc497
  • hash_md5 — b82e54923f7e440664d2d75bd31588ca
  • url — hxxp://filev2[.]getsession[.]org/file/
  • url — hxxp://169[.]254[.]169[.]254/latest/api/token
  • url — hxxp://169[.]254[.]170[.]2
  • url — hxxps://api[.]github[.]com/repos/
  • url — hxxps://registry[.]npmjs[.]org/-/npm/v1/tokens

Entities

npm (product)TanStack (vendor)Mini Shai-Hulud (campaign)GitHub Actions (technology)GitHub (vendor)AWS (vendor)