TanStack npm Packages Compromised

What we know so far

• At least five packages in the TanStack Router family appear to have been compromised in their latest published versions on npm:
  • @tanstack/router-generator@1.166.45, @tanstack/router-generator@1.166.48
  • @tanstack/router-core@1.169.8
  • @tanstack/router-utils@1.161.14
  • @tanstack/virtual-file-routes@1.161.13
  • @tanstack/react-router@1.169.8
• Each compromised tarball carries a doctored package.json and an undeclared, heavily obfuscated router_init.js (~2.3 MB) at the package root.
• The package.json adds a single weaponised optionalDependencies entry that pulls a payload from a "ghost commit" on a fork of TanStack/router — reachable through the parent repo's URL via GitHub's cross-fork commit visibility. The attached commit defines a prepare script that runs the payload via bun and then deliberately exits with code 1, abusing npm's silent-failure behaviour for optional dependencies so the install appears to succeed.
• Plaintext indicators inside the obfuscated payload point at theft of AWS instance/task-role credentials (IMDS + ECS metadata), HashiCorp Vault tokens, GitHub tokens, and npm tokens, with exfiltration over a Session messenger file relay. The behavioural signature matches the Shai-Hulud-style npm worm family.
• The last known clean release of @tanstack/router-generator is 1.166.42 (published 2026-05-06). The corresponding clean ceilings for the other affected packages can be tracked live on the feed link below.

What you should do right now

1. Stop installing the affected versions. Pin or downgrade @tanstack/* router packages to the last known clean version for your project, and rebuild your lockfiles.
2. Audit recent installs. If any developer machine or CI runner installed an affected version since 2026-05-11 19:20 UTC, treat that host as potentially compromised.
3. Rotate secrets that may have been exposed on those hosts — npm tokens, GitHub PATs, AWS access keys, Vault tokens, and any other secrets present in process.env or reachable from cloud-instance metadata.
4. Hunt for outbound connections from build hosts to filev2.getsession.org and to 169.254.169.254 / 169.254.170.2.
5. Track this incident live on the StepSecurity OSS Package Security feed — the specific alert that started this investigation is @tanstack/router-generator@1.166.48.

How StepSecurity detected this

StepSecurity OSS Package Security continuously analyses every new release on the major package registries. The @tanstack/router-generator@1.166.48 release tripped multiple detectors within minutes of publish — heavy obfuscation, anomalous root-level script files, install-time prepare hooks pulled from a git URL, and known credential-theft string patterns — surfacing as a high-severity alert on the public feed. Our research team picked it up from there.

What's next

A full technical write-up is in progress and will follow this post. It will cover the publish-time injection mechanism, the GitHub cross-fork "ghost commit" abuse, the deobfuscated payload behaviour, the suspected upstream root cause in the release pipeline, and the full IOC list for blue-team hunting.

In the meantime, follow the OSS Package Security feed for the most up-to-date list of compromised versions, and reach out to the StepSecurity team if you need help triaging exposure in your environment.

This is a developing incident. We will update this post as the investigation progresses. Last updated: 2026-05-11.

‍