Tanstack and other Packages Compromised in Supply Chain Attack (Campaign)
ID: fb8f1a0a-b70d-5158-93f3-3782feace2ea
STIX ID: report--fb8f1a0a-b70d-5158-93f3-3782feace2ea
Feed Name: Wiz Cloud Threat Landscape
Date Published: 2026-05-11
Date Updated: 2026-05-21
Author: [email protected] (Wiz Threat Research)
On May 11, 2026, TeamPCP conducted a coordinated software supply chain attack against the npm and PyPI ecosystems, publishing dozens of trojanized packages over approximately six hours. High-profile namespaces including @tanstack (notably @tanstack/react-router ~12M weekly downloads) and others were affected; malicious releases were produced via legitimate GitHub Actions OIDC identities, undermining package provenance and signing as reliable indicators of safety.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.