TanStack npm Attack
84 malicious versions across 42 packages. The attacker never needed to steal a password or trick a maintainer.
On May 11, 2026, someone published credential-stealing malware to 42 @tanstack/* npm packages. The malware harvested AWS keys, SSH keys, GitHub tokens, and Kubernetes credentials from anyone who installed an affected version, then self-propagated to other packages the victim maintained. The attacker never stole a password or phished a maintainer. They made TanStack’s own CI pipeline extract its publish token from the runner’s RAM.
The attack chain
1. Pwn request
The attacker opened a PR from a throwaway fork and immediately closed it. TanStack’s bundle-size.yml used pull_request_target, which runs fork code in the base repo’s context. The workflow checked out the attacker’s code and ran it inside TanStack’s CI — no maintainer approval needed.
2. Cache poisoning
The attacker’s code wrote a payload into pnpm-store. actions/cache@v5 saved it under the key TanStack’s release workflow would later restore. The PR was deleted. The poisoned cache remained.
3. Token extraction and publish
Hours later, a maintainer merged an unrelated PR, triggering release.yml. It restored the poisoned cache, and the payload dumped the runner’s RAM to extract the OIDC publish token. Then it published 84 malicious versions directly to npm.
Root cause
pull_request_target plus a fork checkout plus a shared CI cache. GitHub called this a known-bad pattern in 2021. TanStack hadn’t audited their workflows.
None of this was new: GitHub Security Lab (2021), Adnan Khan (2024), tj-actions/changed-files (2025). The attacker copy-pasted the memory-extraction script verbatim from the tj-actions incident.
My take
CI workflow files carry more privilege than almost any code in the repo — they run as the repository itself, with access to every secret and publish token — but most teams treat them like config, not code, and don’t audit them the way they audit dependencies.
Sources: TanStack Postmortem, TanStack Followup — May 2026