IT之家 5 月 12 日消息,网络安全检测机构 Socket 于当地时间 5 月 11 日发出警报,在开源工具库 TanStack 旗下约 84 个 NPM 软件包的恶意版本中发现疑似凭证窃取恶意代码。
受影响软件包覆盖 42 个 @tanstack/* 命名空间下的项目,其中 @tanstack / react-router 的周下载量超 1200 万次,此类工具包在 NPM 生态中被广泛直接或间接引用,使得本次供应链攻击具有极广的传播范围。
分析发现,被篡改的软件包中新增了一个约 2.3MB、经过高强度 JavaScript 混淆的文件 router_init.js,同时 package.json 中增加了一个指向 GitHub 特定提交的 optionalDependencies 依赖项。
该提交来自一个名为 voicproducoes 的 GitHub 账户,是一个无历史记录的单根提交,包含伪造的包 @tanstack / setup 及其 prepare 生命周期钩子,后者在被安装时会执行任意恶意代码。当开发者或 CI 系统执行包安装操作时,该钩子自动运行,从多个常用位置窃取密钥、令牌和凭据,包括 AWS IMDS 与 Secrets Manager、GCP 元数据、Kubernetes 服务账户令牌、Vault 令牌、~/.npmrc、GitHub 令牌以及 SSH 私钥。窃取的数据通过 Session / Oxen 加密文件上传网络外泄,攻击者同时植入持久化监控组件,能够在受害者机器上维持长期访问。
TanStack 在事后技术复盘中将攻击链归因于三种 GitHub Actions 漏洞的组合利用:攻击者利用 pull_request_target“Pwn Request”模式、跨 fork 缓存投毒以及从 GitHub Actions 运行器进程的内存中实时提取 OIDC 令牌。
在此过程中,NPM 凭证并未泄露,合法发布工作流也未遭攻破,恶意发布是通过项目的 OIDC 受信任发布者绑定进行身份验证后直接推送到 NPM 注册表完成的。
官方同时声明,受影响成员账户均启用了双重身份验证,但攻击者利用 Git 环境下孤儿提交方式绕过了现有的发布保护机制。所有恶意版本已被弃用,TanStack 已联系 NPM 安全团队从注册表中移除恶意压缩包,GitHub Actions 缓存条目也已清理。
本次攻击被安全机构归为正在蔓延的大规模“Mini Shai-Hulud”供应链攻击的一部分。此前该攻击曾针对 SAP 生态系统的 NPM 包,现已扩展为波及更广泛的 NPM 投毒活动。
据不完全统计,目前已受影响的软件包覆盖 @squawk、@tanstack、@uipath、@tallyui、@beproduct、@mistralai 等多个命名空间,共计超过 160 个包名、近 373 个恶意版本条目。
其中 @mistralai / mistralai(官方 TypeScript 客户端)和 @uipath / apollo-core 等企业级工具包亦被植入同类型窃取凭证的蠕虫,采用相同的下载 Bun 运行时并执行恶意载荷的传播机制。
软件包版本pypimistralai2.4.6pypi
[email protected]@opensearch-projectopensearch3.8.0npm@opensearch-projectopensearch3.7.0pypi
guardrails-ai0.10.1pypi
[email protected]
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@squawkairports0.6.6npm
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]
ts-dna3.0.4npm
[email protected]@squawkairports0.6.5npm
[email protected]@tallyuiconnector-vendure1.0.3npm
[email protected]@[email protected]@[email protected]
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]
[email protected]@[email protected]@squawkfixes0.3.5npm
[email protected]@[email protected]@[email protected]
[email protected]@[email protected]@squawknavaids0.4.4npm
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@squawkairway-data0.5.6npm
git-git-git1.0.11npm
nextmove-mcp0.1.6npm
[email protected]
[email protected]@[email protected]@[email protected]@[email protected]
git-git-git1.0.10npm
[email protected]@taskflow-corpcli0.1.28npm
[email protected]
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@tallyuistorage-sqlite0.2.2npm
ts-dna3.0.2npm
[email protected]@[email protected]@[email protected]@[email protected]@beproductnestjs-auth0.1.17npm
[email protected]@[email protected]@mistralaimistralai-azure1.7.1npm@[email protected]@[email protected]@mesadevrest0.28.3npm
cross-stitch1.1.3npm
[email protected]
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@tolkacli1.0.3npm
git-branch-selector1.3.4npm
nextmove-mcp0.1.4npm
[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@uipathapi-workflow-tool1.0.1npm@uipathcontext-grounding-tool0.1.1npm@uipathpackager-tool-workflowcompiler-browser0.0.34npm@uipathpackager-tool-workflowcompiler0.0.16npm@[email protected]@uipathresourcecatalog-tool0.1.1npm@uipathvertical-solutions-tool1.0.1npm@[email protected]@uipathcodedagent-tool1.0.1npm@uipathui-widgets-multi-file-upload1.0.1npm@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@uipathproject-packager1.1.16npm@uipathintegrationservice-tool1.0.2npm@[email protected]@uipathsolution-tool1.0.1npm@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]
[email protected]
ml-toolkit-ts1.0.4npm
agentwork-cli0.1.4npm
[email protected]
[email protected]@[email protected]@supersurkhetcli0.0.4npm
[email protected]@[email protected]@[email protected]@[email protected]@draftlabdb0.16.2npm
[email protected]@[email protected]
[email protected]
[email protected]@[email protected]@supersurkhetcli0.0.2npm
[email protected]
[email protected]
git-branch-selector1.3.3npm
[email protected]@[email protected]@tanstackstart-plugin-core1.169.26npm@[email protected]@tanstackvue-start-client1.166.49npm@tanstackreact-start-rsc0.0.50npm@tanstackstart-client-core1.168.8npm@tanstackeslint-plugin-start0.0.7npm@tanstackreact-start1.167.71npm@tanstackrouter-generator1.166.48npm@tanstackeslint-plugin-router1.161.12npm@tanstackrouter-devtools-core1.167.9npm@tanstackvue-start1.167.64npm@tanstackstart-server-core1.167.36npm@tanstacksolid-start-server1.166.57npm@tanstackstart-storage-context1.166.41npm@tanstacksolid-start-client1.166.53npm@tanstacksolid-start1.167.68npm@tanstackrouter-ssr-query-core1.168.6npm@tanstackvirtual-file-routes1.161.13npm@tanstackreact-router-ssr-query1.166.18npm@tanstacknitro-v2-vite-plugin1.154.15npm@tanstackvue-start-server1.166.53npm@tanstacksolid-router-ssr-query1.166.18npm@tanstackreact-start-server1.166.58npm@tanstackreact-start-client1.166.54npm@tanstackstart-fn-stubs1.161.12npm@tanstackrouter-utils1.161.14npm@tanstackreact-router-devtools1.166.19npm@tanstacksolid-router-devtools1.166.19npm@[email protected]@tanstackarktype-adapter1.166.15npm@tanstackvue-router-devtools1.166.19npm@tanstackzod-adapter1.166.15npm@tanstackvue-router-ssr-query1.166.18npm@tanstackstart-static-server-functions1.166.47npm@tanstackrouter-vite-plugin1.166.56npm@tanstackvalibot-adapter1.166.15npm@tanstackrouter-devtools1.166.19npm@tanstacksolid-router1.169.5npm@tanstackstart-plugin-core1.169.23npm@[email protected]@[email protected]@tanstackeslint-plugin-start0.0.4npm@tanstackeslint-plugin-router1.161.9npm@[email protected]@tanstackrouter-generator1.166.45npm@tanstackstart-client-core1.168.5npm@tanstackrouter-devtools-core1.167.6npm@tanstackrouter-utils1.161.11npm@tanstackvue-router-ssr-query1.166.15npm@tanstackarktype-adapter1.166.12npm@tanstackstart-server-core1.167.33npm@tanstacksolid-start1.167.65npm@tanstackreact-router-devtools1.166.16npm@tanstacksolid-router-devtools1.166.16npm@tanstackrouter-cli1.166.46npm@tanstacksolid-start-server1.166.54npm@tanstackvue-router-devtools1.166.16npm@tanstackvirtual-file-routes1.161.10npm@tanstackrouter-ssr-query-core1.168.3npm@tanstackrouter-vite-plugin1.166.53npm@tanstacknitro-v2-vite-plugin1.154.12npm@[email protected]@tanstackreact-router-ssr-query1.166.15npm@tanstackzod-adapter1.166.12npm@tanstackvalibot-adapter1.166.12npm@tanstacksolid-router-ssr-query1.166.15npm@tanstackreact-start-client1.166.51npm@tanstackrouter-devtools1.166.16npm@tanstackreact-start-server1.166.55npm@tanstacksolid-start-client1.166.50npm@tanstackvue-start1.167.61npm@tanstackstart-storage-context1.166.38npm@tanstackstart-static-server-functions1.166.44npm@tanstackvue-start-client1.166.46npm@tanstackvue-start-server1.166.50composerintercomintercom-php5.0.2npm
intercom-client7.0.4pypi
lightning2.6.3pypi
[email protected]@[email protected]
mbt1.2.48
对于开发者和运维团队,官方与安全机构给出了多项立即执行的应急措施:
对受影响的安装主机,应立即按优先级轮换 NPM 令牌、GitHub 个人访问令牌、云服务密钥(IT之家注:AWS / GCP / Azure)、Kubernetes 服务账户令牌以及 SSH 私钥;
审查开发者和项目根目录下的.claude/ 与.vscode/ 文件夹,移除 router_runtime.js 等陌生条目;
使用 git log --all [email protected] 审核仓库是否存在未授权的提交;
限制 GitHub Actions 中 OIDC 令牌的作用域,对所有不需要 OIDC 发布的工作流设置 permissions: id-token:none;
此外,开发者不应单纯信任 Sigstore 来源证明作为安全信号,因为攻击者在具备 GitHub Actions 执行能力后,同样能够生成有效的 Sigstore 证明用于恶意包。
安全团队通过 SHA-256 校验命令 shasum -a 256 在所有依赖树中搜索标识为 ab4fcada…… 的 router_init.js 文件,亦可用于确认是否引入恶意版本。