Malicious npm Package Brand-Squats TanStack to Exfiltrate Environment Variables
A supply-chain attack was identified involving the unscoped npm package 'tanstack', which brand-squats the legitimate '@tanstack/*' organization. Versions 2.0.4 through 2.0.7 contain malicious postinstall scripts designed to silently exfiltrate environment variables and markdown files to an attacker-controlled Svix endpoint.
Authors: Socket Research Team
Source:
Socket
- urlhxxps://api[[.]]svix[[.]]com/ingest/api/v1/source/src_3387PLMB2uhXOBe3Q8sHu/Attacker-controlled Svix ingest URL used as a dead-drop for exfiltrated environment variables.
Detection / Hunter
What Happened
A malicious software package named 'tanstack' was uploaded to the npm registry, tricking developers by copying the name of a popular legitimate project. When developers install this fake package, it secretly steals sensitive passwords and configuration files from their computers and sends them to the attacker. This affects software developers and companies that accidentally downloaded the fake package instead of the real one. Anyone who installed the malicious package needs to immediately change their passwords and security keys, and remove the fake package from their systems.
Key Takeaways
- An active supply-chain attack is targeting developers via an unscoped npm package named 'tanstack', which brand-squats the legitimate '@tanstack/*' organization.
- Malicious versions (2.0.4 through 2.0.7) use a postinstall script to silently steal environment variable files (.env, .env.local, .env.production) and markdown files.
- Stolen data is exfiltrated via HTTP POST to an attacker-controlled Svix ingest URL acting as a dead-drop.
- Developers who installed the affected versions must immediately rotate all secrets, API keys, and credentials contained in their environment files.
Affected Systems
- Developer workstations using npm
- CI/CD pipelines
- Container build environments
Attack Chain
The attacker published an unscoped npm package named 'tanstack' to impersonate the legitimate '@tanstack/*' organization. Upon installation, a malicious 'postinstall' script executes automatically. This script searches the project directory for environment variable files (e.g., .env, .env.local) and markdown files. The contents of these files are then exfiltrated via an HTTP POST request to an attacker-controlled Svix ingest URL.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Socket AI Detection
Socket's threat detection automatically identified the malicious postinstall behavior, but no specific detection rules or queries were provided in the article.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can monitor process executions (like node.js running postinstall scripts) and file reads (accessing .env files), as well as outbound network connections from node processes. Network Visibility: Medium — Outbound traffic to api.svix.com from unexpected sources (like CI/CD or dev workstations during npm install) can be detected, though the payload is encrypted via HTTPS. Detection Difficulty: Moderate — Distinguishing legitimate npm install behavior from malicious postinstall scripts requires baseline knowledge of normal network destinations and file access patterns for node.js in the environment.
Required Log Sources
- Process Creation Logs
- Network Connection Logs
- File Access Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for node.js or npm processes initiating outbound network connections to api.svix.com, especially during package installation phases. | Network connection logs mapped to process execution | Exfiltration | Medium |
| Monitor for npm or node processes reading multiple .env files across different directories in a short timeframe. | File access logs | Collection | Medium |
Control Gaps
- Lack of strict egress filtering on CI/CD pipelines
- Inability to block unscoped packages matching scoped names (brand-squatting)
Key Behavioral Indicators
- Execution of postinstall.js reading .env files
- Unexpected POST requests to api.svix.com from node.js
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Uninstall the unscoped 'tanstack' package if present in your environment.
- Rotate all secrets, API keys, and credentials found in .env files if the malicious package was installed.
Infrastructure Hardening
- Block the unscoped 'tanstack' package in internal registries or package firewalls.
- Implement strict egress network filtering for CI/CD pipelines to block unauthorized domains.
User Protection
- Audit package.json and lock files for the presence of the malicious package.
- Use scoped packages (e.g., @tanstack/*) to prevent brand-squatting attacks.
Security Awareness
- Educate developers on the risks of typo-squatting and brand-squatting in package managers.
- Enforce policies requiring verification of package scopes and maintainers before installation.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1552.001 - Credentials In Files
- T1048 - Exfiltration Over Alternative Protocol
Additional IOCs
- Domains:
api[.]svix[.]com- Legitimate domain abused for data exfiltration
- Urls:
hxxps://api[[.]]svix[[.]]com/ingest/api/v1/source/src_3387PLMB2uhXOBe3Q8sHu/- Svix ingest URL used for exfiltration
- File Paths:
.env- Targeted environment variable file.env.local- Targeted environment variable file.env.production- Targeted environment variable fileREADME.md- Targeted markdown fileAGENTS.md- Targeted markdown filepostinstall.js- Malicious script executed during npm install phase
- Other:
sh20raj- npm author/maintainer of the malicious packagesrc_3387PLMB2uhXOBe3Q8sHu- Svix Source ID used by the attackernpm/portalapp@1.0.0- Dependent package affected by the malicious tanstack package