Sophisticated Supply Chain Attack Exploits npm's Trusted Publishing, Compromises Hundreds of Packages

Fireship
#supply chain attack #npm #github actions #security #open source

A critical supply chain attack has sent shockwaves through the open-source community, leveraging npm’s “trusted publishing” feature to compromise over 100 packages, collectively downloaded more than 50 million times weekly, in just six minutes. This sophisticated “mini shy hulude” worm bypassed traditional security measures – no phishing, leaked passwords, or stolen tokens were involved. The initial vector exploited a misconfiguration in Tanstack’s GitHub Actions release pipeline. By creating and immediately closing a pull request from a forked repository, the attacker triggered a workflow configured with pull_request_target, granting their code execution context and permissions of the main repository. This enabled the injection of a poisoned file into the CI server’s shared cache.

Hours later, a legitimate pull request merge activated the latent malicious payload, which then appropriated an npm publish token from the cache. This token was used to publish 84 compromised versions of Tanstack packages. The worm rapidly proliferated, scanning infected systems for additional npm publish tokens, subsequently publishing new poisoned versions across a wide array of projects. Early victims included maintainers at Mistral AI, UiPath, Open Search, Guardrails AI, and Squawk, whose packages were quickly compromised. The worm’s reach extended beyond npm, jumping to PyPI via Python SDKs. By the following morning, security firm Aikido reported tracking 373 poisoned versions across 169 packages. The malware displayed advanced stealth capabilities, forging commits signed by the Claude Code GitHub app to blend with legitimate AI-generated activity, and embedding itself directly into development environments like Claude Code and VS Code for persistence. A particularly alarming feature is a “dead man switch” that monitors stolen GitHub token validity, activating “war crime mode” to wipe the root directory upon token expiration.

While comprehensive future prevention remains challenging, several measures can significantly enhance security postures. PNPM version 11 and higher offers critical safeguards, including “minimum release age,” which refuses packages published less than 24 hours ago, providing a window for detection. The “block exotic sub-dependencies” feature prevents installation of dependencies not sourced from a proper registry, thwarting a common malware smuggling technique. Furthermore, “approved builds” blocks all install scripts by default, requiring explicit whitelisting for legitimate packages, thus mitigating a primary vector for npm malware.