TanStack npm Hack: 84 Malicious Packages Released

On May 11, 2026, an attacker managed to publish 84 malicious versions of official TanStack npm packages in the space of just six minutes, according to reporting by The Register. The packages contained credential theft, self-propagation and disk-wiping malware, and any developer or automated build environment that ran a standard install command against an affected version that day is considered compromised, according to GitHub's security advisory.

What happened, reportedly

TanStack is an open source application stack used by developers to build websites and web applications. According to The Register, citing a postmortem by TanStack founder Tanner Linsley, the attacker used a malicious commit on a fork of the TanStack repository to trigger a pull request. This caused scripts to run automatically, building malware that poisoned the GitHub Actions cache and extracted an npm publishing token from runner memory.

The 84 malicious versions were reportedly published between 19:20 and 19:26 UTC. The attack was detected within 30 minutes, npm deprecation was triggered, and GitHub published a security advisory at 21:30 UTC, according to The Register.

No TanStack maintainers were compromised, according to the same reporting.

Why this matters even if you are not a developer

If your website was built or maintained by a developer, or if your business uses any web application that relies on third-party code packages, attacks like this one can affect you indirectly. A compromised developer environment can expose credentials, configuration files and access keys, which could in turn affect the systems and websites they manage on your behalf.

This is a good moment to ask your developer or web agency whether they have reviewed their build environments and rotated any credentials following recent supply chain incidents. You do not need to understand the technical details to ask that question.

For practical steps you can take to reduce security risk on your own website, see our security checklist for small businesses. If your site runs on WordPress, it is also worth checking our guide on vulnerable WordPress plugins, since outdated or compromised plugins are a common entry point for attackers.

What does this mean for your website?

If a developer or agency manages your website, their tools and build processes could be affected by supply chain attacks like this one, even if your own systems are never directly targeted. It is reasonable to ask your developer whether they have checked for any exposure following recent npm security incidents. Keeping your own website software, plugins and themes up to date remains one of the most effective steps you can take to reduce risk on your end.