@tanstack/solid-router-devtools @1.166.19

Summary

This version falls within the @tanstack/* package family compromised on 2026-05-11. The campaign published 42 packages × 2 versions each with the following structural fingerprints: a ~2.3 MB obfuscated JavaScript payload at the tarball root not declared in package.json's files array; an optionalDependencies entry pointing at an orphan commit in the repository's fork network (github:<owner>/<repo>#<sha> form); a second-stage payload fetched from litter.catbox.moe (anonymous 72-hour-TTL file host); credential harvesting from AWS IMDS, GCP metadata, Kubernetes service account tokens, ~/.npmrc, GitHub tokens (env, gh CLI,.git-credentials), and SSH keys; exfiltration via Session/Oxen (filev2.getsession.org, seed{1,2,3}.getsession.org) to defeat IP/domain blocking; self-propagation by enumerating the victim maintainer's other packages via registry.npmjs.org/-/v1/search?text=maintainer:<victim> and republishing them; and scraping the GitHub Actions runner's OIDC token from /proc/<pid>/mem to publish directly to registry.npmjs.org. Installing this version exposes any installer credentials reachable from the build/CI environment to attacker-controlled exfiltration channels.

Source: amazon-inspector (d97a7cf294a17c17e22c7eead7d3de9f693c5488aecba96129d5b79b52f430de)