A single PR just hijacked the NPM registry...

Key Concepts

• Supply Chain Attack: A cyberattack that targets a software supply chain by compromising a trusted third-party component.
• Trusted Publishing: An OIDC-based (OpenID Connect) mechanism that allows CI/CD platforms (like GitHub Actions) to exchange short-lived tokens with the npm registry, eliminating the need for long-lived static credentials.
• Pull Request Target: A GitHub Actions trigger that runs workflows in the context of the base repository, even when the PR originates from a fork.
• Dead Man Switch: A security mechanism in the malware that triggers destructive behavior (nuking the root directory) if it detects that its stolen credentials have been revoked.
• Transitive Dependency: A dependency of a dependency; code that is pulled into a project indirectly.
• Exotic Sub-dependencies: Dependencies that point to external sources (like Git repos or S3 buckets) rather than the official npm registry.

---

1. The Anatomy of the Attack

The attack targeted the Tanstack ecosystem, exploiting the Trusted Publishing workflow. Despite the security of short-lived tokens, the attacker bypassed the system using a sophisticated logic flaw:

• The Trigger: The attacker forked the Tanstack repository and opened a pull request. Because the workflow was configured with pull_request_target, the CI server executed the workflow using the permissions of the main repository, even though the code originated from an untrusted fork.
• Cache Poisoning: The malicious code wrote a "poisoned" file into the CI server’s shared cache, which is used to persist dependencies between jobs.
• Token Hijacking: When a legitimate, unrelated PR was later merged, the CI server triggered the poisoned file. This file intercepted the short-lived npm publish token and used it to publish 84 compromised versions of Tanstack packages.
• Worm-like Propagation: Once a developer installed a compromised package, the malware scanned the local machine for npm publishing tokens. If found, it used those tokens to publish poisoned versions of the developer's own packages, effectively turning a single project's compromise into a widespread supply chain infection.

2. Sophistication and Persistence

The malware demonstrated advanced techniques to evade detection and maintain control:

• AI Mimicry: It forged commits signed by the "Claude Code" GitHub app, allowing malicious changes to blend in with legitimate AI-generated code.
• Persistence: It embedded itself into VS Code and the Claude Code extension, ensuring that even if the malicious npm packages were uninstalled, the malware would re-execute upon opening the editor.
• The Dead Man Switch: The malware ran a background process every 60 seconds to verify if the stolen GitHub token remained valid. If the token was revoked, the malware executed a "war crime mode," deleting the user's root directory.

3. Impact and Scope

• Scale: Within hours, 373 poisoned versions across 169 packages were identified.
• Victims: Major organizations, including Mistral AI, UiPath, Open Search, Guardrails AI, and Squawk, were compromised.
• Cross-Platform Spread: The worm utilized Python SDKs to jump from the npm registry to the Python Package Index (PyPI).

4. Mitigation Strategies (PNPM Framework)

The video highlights three specific features in PNPM (v11+) that serve as effective defenses against this type of supply chain attack:

1. Minimum Release Age: Refuses to install packages published less than 24 hours ago, providing a "cooling-off" period for security researchers to identify and pull malicious releases.
2. Block Exotic Sub-dependencies: Prevents the installation of dependencies that point to non-registry sources (e.g., raw Git URLs or S3 buckets), closing a common vector for smuggling malware.
3. Approved Builds: Blocks all automatic install scripts by default, requiring developers to explicitly whitelist which packages are permitted to execute code during installation.

5. Synthesis and Conclusion

This incident underscores the fragility of modern CI/CD pipelines. Even with "bulletproof" authentication like Trusted Publishing, misconfigured workflow triggers (pull_request_target) can grant attackers the ability to poison shared build environments. The transition from simple credential theft to self-propagating, AI-mimicking worms represents a significant escalation in supply chain threats. Developers are urged to adopt stricter dependency management policies, such as those provided by PNPM, and to utilize observability tools like Sentry’s AI agents to detect and remediate production anomalies caused by such compromises.