Worm-like Supply Chain Attack Exploits GitHub Actions to Infiltrate NPM and Python Ecosystems

Maximilian Schwarzmüller
#supply chain attack #github actions #npm #python #tanstack #cybersecurity

A sophisticated, worm-like supply chain attack is actively spreading across the NPM and Python ecosystems, originating from compromised TanStack packages on May 11th. Malicious versions of TanStack Query, Router, and Start were briefly published, exploiting a critical vulnerability in their CI/CD pipeline. Although contained within 20 minutes, the malicious code, designed to steal NPM and GitHub tokens, AWS credentials, and other secrets, rapidly propagated. It leverages stolen credentials to publish further compromised packages, affecting other NPM libraries like Mistral and subsequently infiltrating the Python ecosystem, with its spread currently ongoing. Developers who installed any TanStack package around May 11th (UTC) or other recently affected packages should consider their systems compromised and look for indicators of compromise, including specific file hashes and outgoing traffic to data exfiltration URLs.

The attack vector was multi-faceted, exploiting GitHub Actions through three key steps: a PullRequestTarget trigger vulnerability, GitHub Actions cache poisoning, and runtime memory extraction of OIDC tokens. An attacker leveraged a pull_request_target event (which executes in the base repository’s context) to inject malicious code into the shared GitHub Actions cache. Subsequently, a legitimate CI/CD workflow, triggered by a routine push, unknowingly retrieved this poisoned cache, executing the malicious payload. This code then stole a short-lived NPM trusted publishing OIDC token, enabling the publication of compromised TanStack packages. Fortuitously, an unrelated CI/CD workflow failure made the illicit publication easier to detect. To mitigate such threats, developers are strongly advised to isolate development environments using VMs or dev containers, adopt secure secret management practices (e.g., SSO, cloud-based solutions), and configure package managers like Bun, Pnpm, or modern NPM to enforce minimum release ages and block post-install scripts, especially given the rising sophistication and AI-assisted nature of these CI/CD-targeting supply chain attacks.