Claude Code users, beware! TanStack NPM has been hacked and poisoned, with up to 12.7 million downloads per week.

Renowned package TanStack hacked and poisoned by TeamPCP hackers, affecting multiple AI development tools and crypto wallets. Malicious programs not only steal confidential credentials but also retaliate by deleting user data when detected, highlighting the increasing severity of supply chain attack threats.

TanStack NPM attacked, Claude and crypto users affected

A large-scale NPM supply chain attack is happening again! The TanStack NPM package, with a weekly download volume of at least 12.7 million times, has been infiltrated and poisoned by hacker groups. The attack targets the recent popular AI ecosystem, affected packages include Mistral AI, OpenSearch, and Guardrails AI, among others.

The hackers mainly embed malicious code into AI coding assistance tools commonly used by developers, such as Claude Code and Microsoft’s VS Code editor environment, to steal users’ confidential credentials, including highly critical GitHub access tokens for developers.

If you downloaded a poisoned version of TanStack NPM on May 11, 2026, please follow theofficial guidanceimmediately to change all potentially compromised accounts, passwords, and cloud credentials.

Hackers from TeamPCP poisoned packages in six minutes

According to StepSecurity’s analysis report, this attack was launched by the active hacker group TeamPCP. The group previously carried out a similar nested supply chain attack on the AI open-source package LiteLLM in March this year, resulting in hundreds of GB of confidential data and over 500k credentials leaking.

• Related report: LiteLLM hacker poisoning incident overview: How to check if your crypto wallets and cloud keys are compromised?

Now, TeamPCP has shifted focus to TanStack, and after the attack, they released malicious worm malware called Mini Shai-Hulud on GitHub. This malware can self-propagate, automatically seeking out and stealing various passwords and keys once it infiltrates a system.

The TanStack hacker incident occurred on May 11. In just six minutes, the hackers released 84 versions containing malicious code across 42 TanStack-related packages, using three system vulnerabilities and chain reactions of mechanisms to achieve their goal.

Image source: StepSecurity, compiled by StepSecurity on TanStack hacker affected packages

TanStack Poisoning Hacker Timeline Summary

The author reviewed the analysis report and summarized the process of the TanStack hacker incident as follows:

• First, the hackers created a branch version in TanStack’s code repository and secretly inserted malicious code into it.
• Next, they exploited a cache mechanism vulnerability in the automated testing process. When the official system tests the code submitted by hackers, it saves the infected temporary files. Later, during the normal software release process, the system inadvertently reads this infected cache.
• Finally, the malicious code that was activated directly reads the system’s memory during operation, precisely capturing high-privilege security credentials used for releasing software. After obtaining the credentials, the hackers can bypass normal security checks and directly push updates of packages containing malicious worms to the public NPM registry. These packages even carry official security certification marks, making it impossible for typical developers to distinguish their danger at a glance.

When unaware developers download and install the infected packages, Mini Shai-Hulud silently activates in the background. Besides common cloud service keys, the virus also reads over 100 preset file paths, covering developer-used AI tool configuration files, VPN settings, and physical files of cryptocurrencies like Bitcoin and Ethereum wallets.

After the incident, StepSecurity’s cybersecurity researcher Ashish Kurmi detected anomalies within 20 minutes and reported them. Once the TanStack team was notified, they immediately initiated emergency measures, revoked their GitHub push permissions to prevent further damage, and contacted NPM to forcibly remove these 84 malicious versions.

Hackers are getting more powerful, defenses are becoming harder

The TanStack incident sends a security alert to the developer community and crypto users. The increasing popularity of AI coding tools may also cause inexperienced Vibe Coding beginners to fall into traps.

Charles Guillemet, CTO of well-known hardware wallet Ledger, stated that the most cunning aspect of this supply chain attack targeting the AI ecosystem’s NPM packages is that these malicious scripts continuously monitor whether the stolen GitHub credentials have been revoked by users.

If the hackers’ system detects that users discover suspicious activity and attempt to revoke credentials, the malicious code will immediately retaliate by erasing user data from the affected computer’s main directory.

Such punitive designs seriously interfere with cybersecurity personnel and victims’ disaster recovery efforts, giving hackers more time to deepen system damage and control. The fact that Mini Shai-Hulud is open source also proves that the cost of supply chain attacks on NPM is extremely low for them.

He earnestly stated, “We are entering a new era where hacker techniques are becoming extremely powerful, and defending against them is becoming increasingly difficult every day.”