TanStack Router npm Packages Compromised in Supply Chain Attack

On May 11, 2026, the TanStack team disclosed that several latest releases of their npm packages were compromised in a supply chain attack. The affected packages include @tanstack/react-router, @tanstack/router-devtools, and others. The attack was first reported via GitHub issue #7383 on the TanStack Router repository, which has 14.4k stars and 1.7k forks.

Attack Details

The incident was discovered when users reported that the latest versions of these packages (e.g., @tanstack/react-router@1.45.0) contained unexpected code. The TanStack team immediately began investigating and published a postmortem at tanstack.com/blog/npm-supply-chain-compromise-postmortem. A third-party security analysis is also available from StepSecurity: www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem. The attack is described as a "self-spreading supply chain attack" that targets the npm ecosystem.

What You Need to Do

  1. Check your lockfiles: If you use package-lock.json, yarn.lock, or pnpm-lock.yaml, verify that you are not using the compromised versions. The affected versions are the latest releases around May 11, 2026.
  2. Rotate credentials: Any API keys, tokens, or secrets that might have been exposed during CI/CD or local development should be rotated immediately.
  3. Audit your dependencies: Run npm audit or yarn audit to identify any compromised packages. Use npm ls @tanstack/react-router to check which version you have.
  4. Pin your versions: Temporarily pin to a known safe version (e.g., @tanstack/react-router@1.44.0) until an official patched release is available.

Technical Indicators

According to the StepSecurity blog, the attack involved publishing malicious packages that masqueraded as legitimate updates. The malicious code was designed to exfiltrate environment variables and spread to other projects in the build pipeline. This is reminiscent of the "Shai Hulud" attack pattern, which uses typosquatting and dependency confusion.

Timeline

  • May 11, 2026: Issue #7383 opened by a user reporting compromised packages.
  • May 11, 2026: TanStack team confirms the incident and begins investigation.
  • May 11, 2026: Postmortem published and pinned by maintainer schiller-manuel.

Impact

TanStack Router is a widely used library for React applications, with over 14k stars on GitHub. Any project that installed the latest versions of these packages between the attack and the disclosure could be compromised. The attack is particularly dangerous because it targets the supply chain, meaning that downstream users of those packages are also at risk.

Prevention

This incident highlights the importance of:

  • Using lockfiles: Always commit lockfiles to version control to prevent unexpected dependency changes.
  • Enabling 2FA: Maintainers should use two-factor authentication on npm and GitHub accounts.
  • Monitoring npm packages: Tools like npm audit, Snyk, or GitHub Dependabot can alert you to malicious packages.
  • Verifying package integrity: Use npm's integrity checking or compare checksums with published values.

Next Steps

If you are a TanStack Router user, immediately check your project for compromised versions. If you find any, assume that your environment is compromised and rotate all secrets. Stay tuned for the official patched release, which will be announced on the TanStack blog and GitHub repository.

For non-TanStack users, this is a wake-up call: supply chain attacks are becoming more sophisticated. Review your own dependency management practices and consider implementing additional security measures like package signing or using a private registry with curation.

References