Mini Shai-Hulud Hits TanStack npm Packages

Key Points:

• Mini Shai-Hulud campaign compromised 84 TanStack npm packages, injecting credential-stealing malware targeting CI systems like GitHub Actions.
• The attack exploited legitimate release pipelines, affecting high-traffic packages such as @tanstack/react-router, with potential access to sensitive tokens across multiple cloud platforms.
• Immediate actions include rotating credentials for affected environments and reviewing cloud audit logs for suspicious activity.

Technical Details: The attack leveraged the "Pwn Request" pattern in GitHub Actions and involved runtime extraction of OpenID Connect tokens from memory. The malicious payload was heavily obfuscated and included a new file, router_init.js.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)
• T1203 - Exploitation for Client Execution (Initial Access)
• T1046 - Network Service Discovery (Discovery)

IOCs Mentioned:

• git-tanstack[.]com (typosquat domain)