Malicious TanStack Package Exploits Postinstall Script to Exfiltrate Developer Environment Files
On April 29, 2026, a malicious npm package masquerading as the reputable TanStack project was identified, covertly exfiltrating developer environment files upon installation. The perpetrator registered the unscoped tanstack package on npm, presenting it as a legitimate video player SDK named TanStackPlayer, and embedded a credential-harvesting script that executed without any visible warning.
The attack spanned a brief yet impactful 27-minute period. Between 17:08 and 17:35 UTC, four versions of the malicious package—2.0.4, 2.0.5, 2.0.6, and 2.0.7—were rapidly uploaded to npm. Each version contained a postinstall hook, a script that automatically runs when a developer executes npm install. Prior to this incident, the earlier version 2.0.3 from March 2026 was clean and lacked such a hook. The package had approximately 19,830 downloads in the month leading up to the attack, providing the attacker with a substantial pool of potential victims.
Aikido researchers analyzed the malicious campaign, highlighting that the attacker did not need to compromise an existing maintainer account, exploit a vulnerability, or engage in phishing. Instead, they registered a convincing package name, inserted a concise postinstall script, and relied on npm installations to propagate the attack. The package’s README was meticulously crafted with sponsorship badges, download shields, a feature comparison table, and code examples, enhancing its appearance of legitimacy.
The genuine TanStack organization, known for popular libraries like TanStack Query (with around 8 million weekly downloads), had no affiliation with this package. The attacker exploited the fact that the unscoped tanstack name had been available since December 2024. A developer mistakenly typing npm install tanstack instead of npm install @tanstack/query would inadvertently install the malicious package, triggering immediate credential theft.
The exfiltrated data was transmitted through Svix, a legitimate webhooks-as-a-service platform, to an attacker-controlled endpoint. By utilizing a trusted third-party relay, the attacker circumvented standard network-level blocking. The stolen payload included file contents along with system metadata such as Node.js version, platform, and architecture, making the exfiltrated data immediately useful for targeted follow-on attacks.
Live Payload Iteration: How Version 2.0.6 Became the Most Dangerous
This attack is particularly notable due to the visible live debugging pattern across all four versions. Version 2.0.4 targeted .env and .env.local files directly, but the opt-out check was commented out, leaving developers with no escape mechanism. Version 2.0.5, released just three minutes later, briefly switched targets to README.md and AGENTS.md, likely to test whether the webhook receiver was functioning. Version 2.0.6, published at 17:26 UTC, became the most dangerous iteration. It abandoned specific file targeting and instead implemented a directory sweep using a collectEnvFiles() function that gathered every file starting with .env, capturing .env.local, .env.production, .env.staging, and .env.development in a single POST request. Console output was fully suppressed. Version 2.0.7 reverted to targeting specific files but retained the suppression of console output.
