@tanstack/start-storage-context @1.166.41
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-3492
Ecosystem
npm
Summary
This version of @tanstack/start-storage-context belongs to the @tanstack/* package family that was compromised via CI cache poisoning, with 42 packages republished in two malicious versions each on 2026-05-11. The campaign's structural fingerprints include: an undeclared multi-megabyte obfuscated JavaScript blob at the tarball root not listed in package.json's "files" array; an optionalDependencies entry pointing at a github: orphan-commit reference ("@tanstack/setup": "github:tanstack/router#<sha>") to smuggle a second-stage payload outside the npm registry; harvesting of cloud-provider metadata (AWS IMDS, GCP metadata, Kubernetes SA tokens), npm tokens from ~/.npmrc, GitHub tokens, and SSH keys; exfiltration over Session/Oxen (filev2.getsession.org, seed{1,2,3}.getsession.org) to defeat IP/domain blocking; second-stage fetch from litter.catbox.moe (anonymous 72-hour-TTL host); /proc/<pid>/mem scraping of the GitHub Actions runner's OIDC token to publish further malicious versions; and self-propagation via the npm maintainer-search API. Installing this version on a developer machine or CI runner exposes credentials, cloud metadata, and any reachable npm/GitHub publishing identities to the attacker.
Source: amazon-inspector (e7021ac6b47d0f973f936ca9d15cd26f43a01b1151ce691ec8b10be5001be2bb)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.