The NPM Worm Is Back And It's So Much Worse (TanStack Hacked)

Shai Hulud is back for round four, and this time it hit TanStack — publishing 84 malicious versions across 42 packages in minutes. This attack includes a deadman switch that wipes your PC if you rotate stolen credentials, steals everything from AWS keys to Claude Code session history, and abused GitHub Actions cache poisoning + OIDC trusted publishing to look completely legitimate. This is the most sophisticated NPM supply chain attack I've seen. Let's break it down. 🔗 Relevant Links https://www.stepsecurity.io/blog/mini... https://socket.dev/blog/tanstack-npm-... https://snyk.io/blog/tanstack-npm-pac... https://www.wiz.io/blog/mini-shai-hul... ❤️ More about us Radically better observability stack: https://betterstack.com/ Written tutorials: https://betterstack.com/community/ Example projects: https://github.com/BetterStackHQ 📱 Socials Twitter:   / betterstackhq   Instagram:   / betterstackhq   TikTok:   / betterstack   LinkedIn:   / betterstack   📌 Chapters: 0:00 0:37 Overview 0:54 What it does 2:37 What it steals 4:09 Self-destruct 5:07 Self-propagation (wormin) 6:42 How TanStack got infected 8:44 Summary