Back

Fake TanStack Package Steals Developer Environment Files via npm

Severity: High (Score: 66.0)

Sources: Aikido.Dev, Cybersecuritynews

Summary

A malicious npm package impersonating the legitimate TanStack library has been discovered, designed to steal sensitive environment variable files from developers. The package, published under the unscoped name 'tanstack', released four versions within 27 minutes on April 29, 2026. Each version contained a postinstall script that automatically exfiltrated .env files to an attacker-controlled endpoint without user consent. The first version targeted .env and .env.local files, while subsequent versions iterated on the payload, including a broader sweep of environment files. The package had approximately 19,830 downloads in the month prior to the attack. The real TanStack library, which includes popular packages like TanStack Query and TanStack Table, is not involved in this incident. Developers are urged to check their installations for the fake package and remove it immediately. Key Points: • A fake npm package named 'tanstack' was published to steal environment files. • Four versions of the malicious package were released in 27 minutes on April 29, 2026. • The package exfiltrated sensitive data without user consent through a postinstall script.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • CWE-200 - Exposure of Sensitive Information (cwe)
  • api.svix.com (domain)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1567 - Exfiltration Over Web Service (mitre_attack)
  • Npm (tool)
  • Svix (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed