Summary
The TanStack npm ecosystem was hit by a supply chain attack that hijacked legitimate build pipelines to distribute malware with valid SLSA provenance. The attack harvests cloud credentials and includes a destructive dead-man's switch that deletes home directories if stolen tokens are revoked.
Take Action:
If you installed any @tanstack/* packages on May 11, 2026, treat your entire environment as compromised — but before rotating any credentials, first disable the dead-man's switch service (systemctl --user stop gh-token-monitor.service on Linux or launchctl unload ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS) and remove persistence hooks from .claude/ and .vscode/ directories, because revoking tokens before disabling the monitor will trigger destruction of your home directory. After disabling persistence, rotate all secrets (GitHub tokens, AWS keys, npm tokens, SSH keys, Vault tokens — everything), block *.getsession.org at DNS level, and audit your GitHub Actions workflows to pin OIDC trusted publishers to specific branches.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)