Critical Supply Chain Attack targeting TenStack affecting multiple NPM & PyPi Packages

May 11, 2026

Critical Supply Chain Attack targeting TenStack affecting multiple NPM & PyPi Packages

Another TeamPCP NPM supply-chain attack hitting TanStack and worming to other dependencies across NPM and other package managers, affecting over 200 affected versions of widely distributed packages.

Executive Summary

On May 11^th between 19:20 and 19:26 UTC, an attacker published 42 malicious TanStack npm packages with multiple malicious versions per package. An aggregate download count of all the packages affected reaches in the tens of millions, increasing the severity of the attack substantially. These malicious package versions targeted Continuous Integration Continuous Delivery (CI/CD) systems to steal build and production environment credentials across multiple services and continue to publish additional malicious packages. Malicious payloads from this attack targeted credentials from AWS, GCP, Kubernetes, Vault, Github, npm, pip, SSH, commercial VPN configurations, messaging applications, and cryptocurrency wallets. At the time of writing, at least three other libraries were affected by similar malware, including Python pip and PHP Composer packages.

The initial malicious libraries published by TenStack to npm were identified as malware within the hour by Ashish Kurmi, an external researcher for StepSecurity. Tenstack removed and purged their Github cache entries within two hours of the initial compromise.

This malicious behavior mirrors many patterns within the recent Shai-Hulud attacks and is attributed to TeamPCP. The attack exacerbates the trend of the group targeting victim CI/CD dependencies to hit developers. This attack specifically targets the Github OpenID Connect (OIDC) federation mechanism, which mints a new valid npm publish token on the compromised CI identity. This ensures affected packages have a “verified provenance” badge in npm, commonly used to delineate rouge package deployments, and ensures that a CI/CD publish step does not need to complete for the worm to propagate.

Organizations that are affected should immediately audit installed packages to confirm whether any of the affected libraries were installed. If so, treat the machine as compromised and follow the Mitigations and Workarounds below.

Affected Systems or Products

Product	Affected Version	Package Manager
@beproduct/nestjs-auth	0.1.2 - 0.1.19	npm
@cap-js/db-service	2.2.2 2.10.1	npm
@dirigible-ai/sdk	0.6.2 0.6.3	npm
@draftauth/client	0.2.1 0.2.2	npm
@draftauth/core	0.13.1 0.13.2	npm
@draftlab/auth	0.24.1 0.24.2	npm
@draftlab/auth-router	0.5.1 0.5.2	npm
@draftlab/db	0.16.1 0.16.2	npm
@mesadev/rest	0.28.3	npm
@mesadev/saguaro	0.4.22	npm
@mesadev/sdk	0.28.3	npm
@mistralai/mistralai	2.2.2 - 2.2.4	npm
@mistralai/mistralai-azure	1.7.1 - 1.7.3	npm
@mistralai/mistralai-gcp	1.7.1 - 1.7.3	npm
@ml-toolkit-ts/preprocessing	1.0.2 1.0.3	npm
@ml-toolkit-ts/xgboost	1.0.3 1.0.4	npm
@opensearch-project/opensearch	3.5.3 3.6.2 3.7.0 3.8.0	npm
@squawk/airport-data	0.7.4 - 0.7.8	npm
@squawk/airports	0.6.2 - 0.6.6	npm
@squawk/airspace	0.8.1 - 0.8.5	npm
@squawk/airspace-data	0.5.3 - 0.5.7	npm
@squawk/airway-data	0.5.4 - 0.5.8	npm
@squawk/airways	0.4.2 - 0.4.6	npm
@squawk/fix-data	0.6.4 - 0.6.8	npm
@squawk/fixes	0.3.2 - 0.3.6	npm
@squawk/flight-math	0.5.4 - 0.5.8	npm
@squawk/flightplan	0.5.2 - 0.5.6	npm
@squawk/geo	0.4.4 - 0.4.8	npm
@squawk/icao-registry	0.5.2 - 0.5.6	npm
@squawk/icao-registry-data	0.8.4 - 0.8.8	npm
@squawk/mcp	0.9.1 - 0.9.5	npm
@squawk/navaid-data	0.6.4 - 0.6.8	npm
@squawk/navaids	0.4.2 - 0.4.6	npm
@squawk/notams	0.3.6 - 0.3.10	npm
@squawk/procedure-data	0.7.3 - 0.7.7	npm
@squawk/procedures	0.5.2 - 0.5.6	npm
@squawk/types	0.8.1 - 0.8.5	npm
@squawk/units	0.4.3 - 0.4.7	npm
@squawk/weather	0.5.6 - 0.5.10	npm
@supersurkhet/cli	0.0.2 - 0.0.7	npm
@supersurkhet/sdk	0.0.2 - 0.0.7	npm
@tallyui/components	1.0.1 - 1.0.3	npm
@tallyui/connector-medusa	1.0.1 - 1.0.3	npm
@tallyui/connector-shopify	1.0.1 - 1.0.3	npm
@tallyui/connector-vendure	1.0.1 - 1.0.3	npm
@tallyui/connector-woocommerce	1.0.1 - 1.0.3	npm
@tallyui/core	0.2.1 - 0.2.3	npm
@tallyui/database	1.0.1 - 1.0.3	npm
@tallyui/pos	0.1.1 - 0.1.3	npm
@tallyui/storage-sqlite	0.2.1 - 0.2.3	npm
@tallyui/theme	0.2.1 - 0.2.3	npm
@tanstack/arktype-adapter	1.166.12 1.166.15	npm
@tanstack/eslint-plugin-router	1.161.9 1.161.12	npm
@tanstack/eslint-plugin-start	0.0.4 0.0.7	npm
@tanstack/history	1.161.9 1.161.12	npm
@tanstack/nitro-v2-vite-plugin	1.154.12 1.154.15	npm
@tanstack/react-router	1.169.5 1.169.8	npm
@tanstack/react-router-devtools	1.166.16 1.166.19	npm
@tanstack/react-router-ssr-query	1.166.15 1.166.18	npm
@tanstack/react-start	1.167.68 1.167.71	npm
@tanstack/react-start-client	1.166.51 1.166.54	npm
@tanstack/react-start-rsc	0.0.47 0.0.50	npm
@tanstack/react-start-server	1.166.55 1.166.58	npm
@tanstack/router-cli	1.166.46 1.166.49	npm
@tanstack/router-core	1.169.5 1.169.8	npm
@tanstack/router-devtools	1.166.16 1.166.19	npm
@tanstack/router-devtools-core	1.167.6 1.167.9	npm
@tanstack/router-generator	1.166.45 1.166.48	npm
@tanstack/router-plugin	1.167.38 1.167.41	npm
@tanstack/router-ssr-query-core	1.168.3 1.168.6	npm
@tanstack/router-utils	1.161.11 1.161.14	npm
@tanstack/router-vite-plugin	1.166.53 1.166.56	npm
@tanstack/solid-router	1.169.5 1.169.8	npm
@tanstack/solid-router-devtools	1.166.16 1.166.19	npm
@tanstack/solid-router-ssr-query	1.166.15 1.166.18	npm
@tanstack/solid-start	1.167.65 1.167.68	npm
@tanstack/solid-start-client	1.166.50 1.166.53	npm
@tanstack/solid-start-server	1.166.54 1.166.57	npm
@tanstack/start-client-core	1.168.5 1.168.8	npm
@tanstack/start-fn-stubs	1.161.12 1.161.9	npm
@tanstack/start-plugin-core	1.169.23 1.169.26	npm
@tanstack/start-server-core	1.167.33 1.167.36	npm
@tanstack/start-static-server-functions	1.166.44 1.166.47	npm
@tanstack/start-storage-context	1.166.38 1.166.41	npm
@tanstack/valibot-adapter	1.166.12 1.166.15	npm
@tanstack/virtual-file-routes	1.161.10 1.161.13	npm
@tanstack/vue-router	1.169.5 1.169.8	npm
@tanstack/vue-router-devtools	1.166.16 1.166.19	npm
@tanstack/vue-router-ssr-query	1.166.15 1.166.18	npm
@tanstack/vue-start	1.167.61 1.167.64	npm
@tanstack/vue-start-client	1.166.46 1.166.49	npm
@tanstack/vue-start-server	1.166.50 1.166.53	npm
@tanstack/zod-adapter	1.166.12 1.166.15	npm
@taskflow-corp/cli	0.1.24 - 0.1.29	npm
@tolka/cli	1.0.2 - 1.0.6	npm
@uipath/access-policy-sdk	0.3.1	npm
@uipath/access-policy-tool	0.3.1	npm
@uipath/admin-tool	0.1.1	npm
@uipath/agent-sdk	1.0.2	npm
@uipath/agent-tool	1.0.1	npm
@uipath/agent.sdk	0.0.18	npm
@uipath/aops-policy-tool	0.3.1	npm
@uipath/ap-chat	1.5.7	npm
@uipath/api-workflow-tool	1.0.1	npm
@uipath/apollo-core	5.9.2	npm
@uipath/apollo-react	4.24.5	npm
@uipath/apollo-wind	2.16.2	npm
@uipath/auth	1.0.1	npm
@uipath/case-tool	1.0.1	npm
@uipath/cli	1.0.1	npm
@uipath/codedagent-tool	1.0.1	npm
@uipath/codedagents-tool	0.1.12	npm
@uipath/codedapp-tool	1.0.1	npm
@uipath/common	1.0.1	npm
@uipath/context-grounding-tool	0.1.1	npm
@uipath/data-fabric-tool	1.0.2	npm
@uipath/docsai-tool	1.0.1	npm
@uipath/filesystem	1.0.1	npm
@uipath/flow-tool	1.0.2	npm
@uipath/functions-tool	1.0.1	npm
@uipath/gov-tool	0.3.1	npm
@uipath/identity-tool	0.1.1	npm
@uipath/insights-sdk	1.0.1	npm
@uipath/insights-tool	1.0.1	npm
@uipath/integrationservice-sdk	1.0.2	npm
@uipath/integrationservice-tool	1.0.2	npm
@uipath/llmgw-tool	1.0.1	npm
@uipath/maestro-sdk	1.0.1	npm
@uipath/maestro-tool	1.0.1	npm
@uipath/orchestrator-tool	1.0.1	npm
@uipath/packager-tool-apiworkflow	0.0.19	npm
@uipath/packager-tool-bpmn	0.0.9	npm
@uipath/packager-tool-case	0.0.9	npm
@uipath/packager-tool-connector	0.0.19	npm
@uipath/packager-tool-flow	0.0.19	npm
@uipath/packager-tool-functions	0.1.1	npm
@uipath/packager-tool-webapp	1.0.6	npm
@uipath/packager-tool-workflowcompiler	0.0.16	npm
@uipath/packager-tool-workflowcompiler-browser	0.0.34	npm
@uipath/platform-tool	1.0.1	npm
@uipath/project-packager	1.1.16	npm
@uipath/resource-tool	1.0.1	npm
@uipath/resourcecatalog-tool	0.1.1	npm
@uipath/resources-tool	0.1.11	npm
@uipath/robot	1.3.4	npm
@uipath/rpa-legacy-tool	1.0.1	npm
@uipath/rpa-tool	0.9.5	npm
@uipath/solution-packager	0.0.35	npm
@uipath/solution-tool	1.0.1	npm
@uipath/solutionpackager-sdk	1.0.11	npm
@uipath/solutionpackager-tool-core	0.0.34	npm
@uipath/tasks-tool	1.0.1	npm
@uipath/telemetry	0.0.7	npm
@uipath/test-manager-tool	1.0.2	npm
@uipath/tool-workflowcompiler	0.0.12	npm
@uipath/traces-tool	1.0.1	npm
@uipath/ui-widgets-multi-file-upload	1.0.1	npm
@uipath/uipath-python-bridge	1.0.1	npm
@uipath/vertical-solutions-tool	1.0.1	npm
@uipath/vss	0.1.6	npm
@uipath/widget.sdk	1.2.3	npm
@agentwork-cli	0.1.4 0.1.5	npm
cmux-agent-mcp	0.1.3 - 0.1.8	npm
cross-stitch	1.1.3 - 1.1.7	npm
git-branch-selector	1.3.3 - 1.3.7	npm
git-git-git	1.0.8 - 1.0.10	npm
intercom-client	7.0.4	npm
mbt	1.2.48	npm
ml-toolkit-ts	1.0.4 1.0.5	npm
nextmove-mcp	0.1.3 - 0.1.7	npm
safe-action	0.8.3 0.8.4	npm
ts-dna	3.0.2 - 3.0.5	npm
wot-api	0.8.1 - 0.8.4	npm
intercom/intercom-php	5.0.2	composer
guardrails-ai	0.10.1	PyPi
lightning	2.6.2 2.6.3	PyPi
mistralai	2.4.6	PyPi

Mitigations / Workarounds

If you believe that a machine has already been impacted, assume all secrets that are accessible on the affected host are compromised. We do not advise cleaning in place and instead recommend reimaging or rebuilding affected machines from known good images.

Any credentials related to AWS, GCP, Kubernetes, Vault, Github, NPM, Pip, or SSH on a host with an affected version should be rotated immediately. Any keys that match the following regex should be considered compromised and exfiled:

/npm_[A-Za-z0-9]{36,}/g
/gh[op]_[A-Za-z0-9]{36}/g
/hvs\.[A-Za-z0-9_-]{24,}/g
/eyJhbGciOiJSUzI1NiIsImtpZCI6[\w\-.]+/g
/AKIA[0-9A-Z]{16}/g

The following hard-coded paths for files are enumerated by the payload and any instances of these credentials are assumed to be compromised as well. These paths include credentials more commonly found on developer machines rather than purely CI/CD pipelines:

~/.azure/accessTokens.json
~/.config/gcloud/*
~/.kube/config
/var/run/secrets/kubernetes.io/serviceaccount/token
~/.terraform.d/credentials.tfrc.json
/etc/rancher/k3s/k3s.yaml
/var/lib/docker/containers/*/config.v2.json
~/.bash_history
~/.zsh_history
~/.python_history
~/.mysql_history
~/.ssh/id_rsa
~/.ssh/id_ed25519
~/.ssh/id_ecdsa
~/.git-credentials
~/.gitconfig
.vscode/tasks.json
.vscode/setup.mjs
~/.npmrc
~/.pypirc
~/.docker/config.json
~/.netrc
~/.yarnrc
~/.claude.json
~/.claude/mcp.json
~/.kiro/settings/mcp.json
~/.bitcoin/wallet.dat
~/.ethereum/keystore/*
~/.monero/*
~/.zcash/wallet.dat
~/.config/Signal/*
~/.config/Slack/Cookies,
~/.config/discord/*
~/.config/telegram-desktop/*

It’s been identified by Github user @carlini that revocation of Github tokens will trigger a wipe of the home directory of the current user via rm -rf ~/. This affects developer machines much more than CI/CD pipelines.

For endpoints and developer machines, ensure that the affected packaged are not installed on the host:

find / \( -name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock" \) -exec sh -c ' grep -E "@agentwork-cli|@beproduc|@cap-j|@dirigible-a|@draftaut|@draftla|@mesade|@mistrala|@ml-toolkit-t|@opensearch-projec|@squaw|@supersurkhe|@tallyu|@tanstac|@taskflow-cor|@tolk|@uipath|" "$1" | grep "node_modules" && echo " ^^ found in: $1" ' _ {} \;

Ensure that the payload is not installed on any suspected hosts:

find / ((-name "package-lock.json" -o -name "pnpm-lock.yaml" -o -name "yarn.lock") -o ( -path "

Additionally, persistence mechanisms appear in Linux and macOS under the name gh-token-monitor within systemd and launchctl respectively. Using pinned versions of libraries is recommended to prevent this kind of attack if new malicious versions are released for any library.

Using pinned versions of libraries is recommended to help mitigate these attacks in the future. NPM specifically offers a configuration, npm config set min-release-age 3, that will enforce a 48-72 hour period on new package releases before installing them on your machine. This is advised for all developers using external npm packages. For machines running without human interaction, such as CI/CD pipelines, we advise not only version pinning of packages but disabling scripts on installs with the –ignore-scripts argument wherever possible. Python’s and PHP’s package managers don’t advise globally updating all packages regularly and therefore are less likely to be unpinned and installed each CI/CD invocation, so no such mechanism exists within the respective package managers.

Patches

While not strictly a patch, ensuring that any installed affected npm, pip, and conductor packages are removed and purged from your machines is recommended. This involves removing the affected packages and installing pinned versions of the unaffected packages.

Indicators of Compromise

Network Activity
api[.]masscan[.]cloud
filev2[.]getsession[.]org
git-tanstack[.]com
seed1[.]getsession[.]org
filev2[.]getsession[.]org/file/

File Name	Hash
router_init.js OR router_runtime.js	12ed9a3c1f73617aefdb740480695c04405d7b4b
tanstack_runner.js OR router_init.js	e7d582b98ca80690883175470e96f703ef6dc497

How Beazley Security is responding

Beazley Security is conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.