TanStack npm Attack: 84 Malicious Versions Exposed

A supply-chain attack on the TanStack JavaScript library collection reportedly resulted in 84 malicious versions of 42 packages being published to the npm package registry, according to heise Security. The incident was discovered on 11 May 2026. The compromised versions contained credential-stealing malware targeting sensitive developer credentials.

What happened?

According to heise Security, malicious actors managed to inject credential-stealing code into 84 versions of 42 packages in the @tanstack/* collection on npm. The malware was reportedly designed to target AWS Instance Metadata Service (IMDS) credentials, GitHub tokens and private SSH keys.

The compromised package versions have since been deprecated. It is not yet clear how many developers installed the affected versions before they were taken down, and the identity of those responsible has not been confirmed.

Who is affected?

Developers who use @tanstack/* packages in their projects and who installed one of the 84 affected versions may have had their credentials exposed. According to heise Security, affected developers are advised to immediately rotate all secrets, including npm tokens, GitHub personal access tokens and OIDC trusts, AWS credentials, Vault tokens and Kubernetes service account tokens.

If you are a developer or work with a developer who builds or maintains websites using TanStack packages, it is worth checking which versions are in use.

Why does this matter for small businesses?

Many small business websites are built and maintained using JavaScript frameworks and tools. While you may not manage npm packages yourself, your web developer or agency might. A compromised developer environment can mean that credentials used to access your hosting, cloud services or code repositories could be at risk.

This is a good moment to ask your developer whether they use TanStack packages and whether they have checked for the affected versions. You can also point them to our security checklist for small businesses and our guide on vulnerable plugins and dependencies.

What does this mean for your website?

If your website was built or is maintained by a developer using @tanstack/* packages, ask them to confirm they have checked for the affected versions listed in the GitHub Security Advisory. Supply-chain attacks like this one target developers rather than end users directly, but the knock-on effects can reach your website if developer credentials are compromised. Keeping an open line with your web developer about security incidents is a simple but effective step.

Source: heise Security