The TanStack Ecosystem Supply-Chain Attack and SLSA Level 3 Bypass

The Pitch

TanStack is a suite of headless UI and data-fetching libraries (Query, Table, Router) used by nearly every major React and TypeScript engineering team. While usually praised for its performance and framework-agnostic architecture, it is currently the focal point of the most sophisticated npm supply-chain breach of 2026.

Under the Hood

Yesterday, May 11, 2026, the TanStack release pipeline was hijacked to publish 84 malicious versions across 42 packages between 19:20 and 19:26 UTC (Source: TanStack Postmortem). This was not a simple credential theft; it was an automated compromise orchestrated by the threat group TeamPCP using the 'Mini Shai-Hulud' worm (Source: StepSecurity / Wiz).

The exploit chain utilized a critical flaw in GitHub Actions (GHA) architecture. By targeting pull_request_target, the attackers poisoned the pnpm store cache, which is shared across trust boundaries from forks to the base repository (Source: Adnan Khan research). This allowed them to extract OIDC tokens directly from the runner's process memory via /proc/<pid>/mem (Source: GHSA-g7cv-rxg3-hmpx).

The most alarming aspect is the bypass of 'Trusted Publishing'. Because the compromise happened inside the legitimate GHA runner, the malicious packages were published with valid SLSA Level 3 attestations. This effectively nullified the security guarantees we have relied on for the last three years, as the build environment itself was deceptive.

The malware includes a particularly spiteful 'dead-man's switch' (gh-token-monitor.sh). If the script detects that the stolen GitHub token has been revoked, it attempts to execute rm -rf ~ / on the victim's machine (Source: Wiz / HN). It also attempts to self-propagate by searching for other packages the victim has write access to and infecting their respective pipelines.

We don't know yet how GitHub plans to address the shared object storage URI behaviour for forks, nor is there a public long-term fix for OIDC token visibility in runner memory. Detection was fast—StepSecurity and Socket flagged the anomaly within 20 minutes—but the window was long enough for numerous automated CI pipelines to pull the compromised code (Source: Cybernews).

Marcus's Take

This is a wake-up call for anyone who treats "Trusted Publishing" as a replacement for actual security audits. The fact that a package can have a valid SLSA Level 3 certificate while wiping your home directory proves our current attestation models are fragile. Do not update any TanStack dependencies for at least 72 hours. Pin your versions to known-good releases from before May 11 and, for heaven's sake, stop using pull_request_target without rigorous isolation.

Ship clean code,
Marcus.