TanStack Attack: How SLSA Provenance Was Weaponised Against the CI/CD Trust Chain

The Attack That Broke a Security Guarantee

Software supply chain security has a foundational assumption: if a package carries valid provenance, it was built from trusted source code by a trusted CI/CD system. The TanStack attack of May 2026 shattered that assumption.

According to Rescana’s detailed post-mortem, threat group TeamPCP did not forge provenance, bypass a signing key, or exploit a vulnerability in the SLSA specification itself. They did something more insidious: they hijacked the legitimate CI/CD runner using OIDC token extraction from process memory, then used that runner’s own identity to publish malicious packages. The packages were, by every verifiable measure, built from within GitHub’s infrastructure using the project’s own credentials. SLSA provenance was accurate — and useless.

The attack unfolded across 20-26 minutes on the evening of May 11, 2026 UTC. Within that window, 84 malicious versions of 42 @tanstack packages were published. Within hours, the self-replicating payload had spread to over 200 additional packages including @mistralai and @uipath components. By May 12, npm had removed the malicious tarballs — but the incident had already exposed the critical gap between what SLSA guarantees and what developers assume it guarantees.

What TeamPCP Actually Did

The attack chain has four phases that every CI/CD engineer should understand.

Phase 1 — Cache Poisoning: An attacker-controlled fork introduced malicious binaries into the GitHub Actions cache. These binaries were not detected as malicious because the cache is not subject to the same scanning as committed source code.

Phase 2 — OIDC Token Extraction: During a standard workflow run that restored the poisoned cache, the malicious binaries extracted OpenID Connect tokens directly from the runner’s process memory. OIDC tokens are short-lived, bearer-token credentials that GitHub Actions uses to authenticate to external services — including npm. No long-lived secrets were needed; the runner itself was the credential.

Phase 3 — Malicious Publication: Using the stolen OIDC token, TeamPCP published 84 package versions to npm under the @tanstack namespace. Because the token was legitimate and the packages were published from within GitHub’s IP ranges, npm’s fraud detection did not trigger.

Phase 4 — Payload Execution: Each malicious version contained a 2.3 MB obfuscated JavaScript file named router_init.js that harvested AWS credentials, GCP tokens, GitHub tokens, SSH keys, and Kubernetes tokens from the developer’s environment and exfiltrated them via the Session/Oxen decentralised messenger network. A destructive persistence daemon named gh-token-monitor would wipe the user’s home directory if GitHub tokens were later revoked — creating a catastrophic secondary consequence for organisations that detected the compromise and rotated credentials.

The NHS Digital Cyber Alerts bulletin CC-4781 confirmed the multi-ecosystem scope of the attack and its impact on healthcare sector tooling, underscoring that TanStack’s router libraries are embedded far beyond JavaScript-native teams.

What Engineering Teams Should Do About It

1. Treat SLSA Provenance as Necessary but Not Sufficient

The TanStack incident reframes SLSA provenance from a trust signal to a traceability signal. Provenance tells you where a package was built; it does not tell you whether the build environment was clean at that moment. Organisations that removed non-provenance-attested packages from their allow-lists after 2024 now need to add a second layer: runtime behaviour analysis and post-install scanning. Tools such as Socket.dev’s supply chain monitoring or GitHub Advanced Security’s dependency review flag behavioural anomalies (network calls at install time, process spawning, credential-path access patterns) that provenance cannot surface.

2. Isolate GitHub Actions Runners From Credential Stores

The OIDC token extraction in the TanStack attack required the malicious binary to run in process on the Actions runner. Organisations can limit the blast radius by ensuring that CI/CD runners do not have direct access to production credential stores, cloud IAM roles with write permissions, or npm publish tokens with broad scope. Use short-lived, scoped OIDC tokens with explicit audience restrictions, and rotate publish credentials after every release cycle. GitHub’s fine-grained npm publish tokens — which restrict publication to specific packages and automation contexts — were specifically designed for this threat model.

3. Audit Every GitHub Actions Cache Entry This Sprint

The attack entry point was a poisoned cache entry. GitHub Actions cache is writable by anyone with repository write access, including contributors via fork pull requests under certain configurations. Run an immediate audit: list all active cache keys (gh cache list), verify the workflow that created each cache entry, and delete any cache entries that cannot be attributed to a known, clean workflow run. Going forward, pin cache keys to commit SHAs rather than branch names, and enable the “Do not save cache for failed workflows” setting to prevent a partially poisoned run from persisting its cache.

4. Pin Dependencies to Verified Digest Hashes, Not Version Ranges

Package version ranges (^1.2.0, ~2.3) are the mechanism that allowed the TanStack malicious packages to be automatically pulled by projects that already trusted the @tanstack namespace. Pin every direct and transitive dependency to an immutable digest hash in your lockfile, and verify that your CI/CD pipeline fails if the lockfile has changed without a corresponding code review. Tools like Renovate Bot can automate digest updates while preserving the pin discipline.

5. Subscribe to Ecosystem Security Feeds and Automate Response

The TanStack incident was detected by an external researcher within 20-26 minutes — faster than most organisations’ internal security alerting. Organisations using @tanstack packages would have had an actionable signal within the hour if they subscribed to npm security advisories, GitHub Security Advisories, or third-party feeds like OSV.dev. Automate the response: configure your dependency management pipeline to block builds automatically when a package appears on any of these feeds, without waiting for a human to triage the alert.

The Structural Lesson: Trust Chains Are Only as Strong as Their Weakest Assumption

The TanStack attack is a precise demonstration of a second-order supply chain risk: adversaries who cannot break your cryptographic controls will instead compromise the context in which those controls are exercised. SLSA provenance is cryptographically sound. OIDC tokens are cryptographically sound. The runner process memory is not.

Unit 42’s ongoing monitoring of npm supply chain attacks documents a clear trend: attack sophistication is increasing faster than the adoption of defensive controls. The industry’s response to the 2020 SolarWinds attack was to demand software bills of materials (SBOMs) and build provenance. The TanStack attack demonstrates that attackers have already adapted — they are now using those same provenance mechanisms as cover.

The practical implication is uncomfortable: there is no single control that makes a CI/CD pipeline trustworthy. Defence requires layering — provenance attestation, runtime behaviour monitoring, dependency pinning, runner isolation, and rapid ecosystem alerting — none of which is sufficient alone. Organisations that deployed SLSA and then reduced other controls on the assumption that provenance “solved” supply chain risk have made their pipelines more brittle, not less.

The May 2026 incident should reset that assumption permanently.

Frequently Asked Questions

Sources & Further Reading

• TanStack npm Supply Chain Attack — Detailed Analysis — Rescana
• Monitoring npm Supply Chain Attacks — Unit 42, Palo Alto Networks
• Strengthening Supply Chain Security — GitHub Blog
• Cyber Alert CC-4781: TanStack Supply Chain Compromise — NHS Digital
• Instructure Reaches Ransom Agreement — The Hacker News