Claude Code users beware! TanStack NPM has been hacked and poisoned, with up to 12.7 million downloads per week

Renowned package TanStack hacked and poisoned by TeamPCP hackers, affecting multiple AI development tools and crypto wallets. Malicious programs not only steal confidential credentials but also retaliate by deleting user data when detected, highlighting the increasing severity of supply chain attack threats.

TanStack NPM attacked, Claude and crypto users affected

A large-scale NPM supply chain attack is happening again! The TanStack NPM package, with a weekly download volume of at least 12.7 million times, has been infiltrated and poisoned by hacker groups. The attack targets the recent popular AI ecosystem, including related affected packages such as Mistral AI, OpenSearch, and Guardrails AI.

The hackers mainly embed malicious code into AI coding assistance tools commonly used by developers, such as Claude Code and Microsoft’s VS Code editor environment, to steal users’ confidential credentials, including highly critical GitHub access tokens for developers.

If you downloaded a poisoned version of TanStack NPM on May 11, 2026, please follow theofficial guidanceimmediately to change all potentially compromised accounts, passwords, and cloud credentials.

Hackers from TeamPCP poisoned packages in six minutes

According to StepSecurity’s analysis report, this attack was launched by the active hacker group TeamPCP. The group previously carried out a similar nested supply chain attack on the AI open-source package LiteLLM in March this year, resulting in hundreds of gigabytes of sensitive data and over 500k credentials leaking.

• Related report: LiteLLM hacker poisoning incident overview: How to check if your crypto wallets and cloud keys are compromised?

Now, TeamPCP has shifted focus to TanStack, and after the attack, they released malicious worm malware called Mini Shai-Hulud on GitHub. This virus has self-propagation capabilities; once infiltrated, it automatically searches for and steals various passwords and keys.

The TanStack hacker incident occurred on May 11. Within just six minutes, the hackers released 84 versions containing malicious code across 42 TanStack-related packages, using three system vulnerabilities and chain reactions of mechanisms to achieve their goal.

Image source: StepSecurity, compiled by StepSecurity on TanStack hacker affected packages

TanStack Poisoning Hacker Timeline Summary

The author reviewed the analysis report and summarized the process of the TanStack hacker incident as follows:

• First, the hackers created a branch version in TanStack’s code repository and secretly inserted malicious code into it.
• Next, they exploited a cache mechanism vulnerability in the automated testing process. When the official system tests the code submitted by hackers, it saves the infected temporary files. Later, during the normal software release process, the system inadvertently reads this infected cache.
• Finally, the activated malicious code directly reads the system’s memory, precisely targeting high-privilege security credentials used for software release. After obtaining these credentials, the hackers can bypass normal security checks and directly push updates containing malicious worms to the public NPM registry. These malicious packages even carry the highest-level official security certification marks, making it impossible for typical developers to distinguish their danger by appearance.

When unaware developers download and install the infected packages, Mini Shai-Hulud silently activates in the background. Besides common cloud service keys, the virus also reads over 100 preset file paths, covering developer-used AI tool configuration files, VPN settings, and physical files of cryptocurrencies like Bitcoin and Ethereum wallets.

After the incident, StepSecurity’s cybersecurity researcher Ashish Kurmi detected anomalies within 20 minutes and reported them. Once the TanStack team was notified, they immediately launched emergency measures, revoked their GitHub push permissions to prevent further damage, and contacted NPM to forcibly remove these 84 malicious versions.

Hackers are getting more powerful, defenses are becoming harder

The TanStack incident sends a security alert to the developer community and crypto users. As AI coding tools become more popular, it may also cause inexperienced Vibe Coding beginners to fall into traps.

Charles Guillemet, CTO of the well-known hardware wallet Ledger, stated that the most cunning aspect of this supply chain attack targeting the AI ecosystem’s NPM packages is that these malicious scripts continuously monitor whether the stolen GitHub credentials have been revoked by users.

If the hackers’ system detects that users discover anomalies and attempt to revoke credentials, the malicious code will immediately retaliate by erasing user data from the affected computers.

Such punitive designs seriously interfere with cybersecurity personnel and victims’ disaster recovery efforts, giving hackers more time to deepen system damage and control. The fact that Mini Shai-Hulud is open source also proves that the cost of targeting NPM supply chain attacks is extremely low for them.

He earnestly stated, “We are entering a new era where hacker techniques are becoming extremely powerful, and defending against them is becoming increasingly difficult every day.”