On April 29, 2026, a highly targeted supply chain attack hit the JavaScript ecosystem. An attacker exploited “typosquatting” logic by registering the unscoped package name “tanstack”—impersonating the massive TanStack organization (famed for TanStack Query).
While the real TanStack libraries are safely scoped under @tanstack/, this malicious package sat waiting for developers to make a simple typing error. During a brief 27-minute window, the attacker pushed four malicious versions that silently exfiltrated .env files containing sensitive API keys and database credentials.
The Attack: The “Postinstall” Trap
The attack relied on a postinstall hook—a script that npm automatically executes the moment npm install finishes.
The Mechanics of the Theft:
- The Disguise: The package was branded as “TanStackPlayer,” complete with a professional README, sponsorship badges, and fake download counts to bypass casual scrutiny.
- The Trigger: Any developer running
npm install tanstack(missing the@scope) unknowingly executed a script that scanned their local directory. - The Exfiltration: Stolen data was sent through Svix, a legitimate webhooks service. By using a trusted third-party relay, the attacker successfully bypassed many outbound network firewalls.
Live Evolution: From 2.0.4 to 2.0.7
Researchers from Aikido observed the attacker actively “debugging” the malware in real-time as victims began installing it.
| Version | Behavior | Risk Level |
|---|---|---|
| 2.0.4 | Targeted .env and .env.local. No way to opt-out. | High |
| 2.0.5 | Tested targets on README.md to verify the webhook connection. | Medium |
| 2.0.6 | The most dangerous. Used collectEnvFiles() to sweep every file starting with .env (staging, production, etc.) in a single request. | Critical |
| 2.0.7 | Reverted to standard .env but included 2.0.6 as a dependency to ensure the “sweep” still happened. | Critical |
Export to Sheets
What Was Stolen?
The files targeted by this script typically act as the “keys to the kingdom” for modern developers. If you were infected, the attacker likely now possesses:
- AWS Access Keys and Cloud secrets.
- GitHub Personal Access Tokens (PATs).
- npm Publish Tokens (allowing them to hijack your packages).
- Stripe, OpenAI, and Twilio API Keys.
- Database connection strings for production environments.
Immediate Action Plan for Developers
If you suspect you or your CI/CD pipeline installed the “tanstack” package between 17:08 and 17:35 UTC on April 29, follow these steps:
1. Identify the Infection
Run this command in your project root to check your lock files:
Bash
grep -r "tanstack" package-lock.json yarn.lock pnpm-lock.yaml 2>/dev/null
Note: Look specifically for versions 2.0.4, 2.0.5, 2.0.6, or 2.0.7.
2. Full Secret Rotation
If an affected version is found, assume all secrets are compromised. Immediately revoke and rotate:
- AWS Keys: Deactivate old keys and check CloudTrail for unauthorized activity.
- GitHub/npm Tokens: Revoke all tokens with “write” or “admin” access.
- Environment Files: Update all
.env.productionand.env.localvariables immediately.
3. Clean the Cache
Clear your local npm cache to ensure the malicious binary isn’t lingering:
Bash
npm cache clean --force