Attacker chained pull_request_target Pwn Request, GitHub Actions cache poisoning, and OIDC token memory extraction to publish 84 malicious versions across 42 @tanstack/* packages on 2026-05-11.
Key Takeaways
Three vulnerabilities chained: fork PR code executed in base-repo cache scope, poisoned pnpm store restored by release.yml, attacker binaries then extracted OIDC token from runner process memory via /proc.
Malware runs during npm install lifecycle via optionalDependencies prepare script, harvesting AWS IMDS, GCP metadata, Kubernetes tokens, ~/.npmrc, SSH keys, and GitHub tokens, then exfiltrating over Session/Oxen network.
Self-propagation: payload enumerates victim’s npm-maintained packages and republishes them with the same injection.
Anyone who ran npm/pnpm/yarn install against affected versions on 2026-05-11 should rotate all credentials reachable from that host and treat the machine as compromised.
Hacker News Comment Review
Commenters flagged a dead-man’s switch: the payload reportedly installs a systemd/LaunchAgent service polling GitHub every 60s that runs rm -rf ~/ if the stolen token is revoked, making revocation order critical.
Trusted Publishing (OIDC) does not prevent this class of attack; it removes local token storage but shifts risk to CI pipeline integrity. Commenters noted release-gate manual approvals are underdocumented as a required complement.
npm’s unpublish policy (blocked when dependents exist, a left-pad-era response) meant tarballs stayed installable for hours; deprecation was the only self-serve option, requiring npm security to pull server-side.
Notable Comments
@varunsharma07: @mistralai/mistralai npm package was also compromised as part of the self-propagating worm before being pulled from the registry.
