Twenty Minutes Was Not Fast Enough
On May 11, 2026, between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages. TanStack is one of the most widely used open-source libraries in the React ecosystem — TanStack Query alone has over 40 million npm downloads per month. The malicious versions were detected publicly within 20 to 26 minutes by an external researcher. By then, the damage was done.
Two OpenAI employee devices were confirmed compromised. The malware harvested credentials, API keys, and CI/CD secrets from every machine that ran npm install during the 20-minute window. OpenAI issued an advisory on June 12 recommending that all ChatGPT and Codex desktop users on macOS update immediately.
The Attack: GitHub Actions as a Weapon
The attacker exploited three GitHub Actions trust boundaries simultaneously. First, the pull_request_target 'Pwn Request' pattern — a well-known misconfiguration where workflows triggered by pull requests run with the base repository's secrets. Second, GitHub Actions cache poisoning across the fork-to-base trust boundary. Third, runtime memory extraction of the GitHub Actions OIDC token from the runner process.
With the stolen OIDC token, the attacker published packages via TanStack's trusted-publisher binding — the exact mechanism npm uses to generate and verify SLSA provenance. The malicious packages had valid, signed certificates. To npm's provenance system and every SLSA verification tool, these were indistinguishable from legitimate TanStack releases.
SLSA Provenance: Verified, Signed, Malicious
SLSA (Supply-chain Levels for Software Artifacts) is the gold standard for supply chain integrity. It provides cryptographic provenance attestations — proof that a package was built by a specific CI pipeline from a specific source commit. Organizations that verify SLSA provenance before installing packages consider themselves protected from supply chain attacks.
The TanStack compromise demonstrated that SLSA provenance can be forged when the CI pipeline itself is compromised. The attestation said 'built by TanStack/router release.yml@refs/heads/main.' That was technically true — the build did run on TanStack's GitHub Actions runner. But the code it built was not TanStack's code. The provenance verified the process, not the intent. When attackers control the process, provenance verification is a false assurance.
The React Ecosystem Exposure
TanStack Query, TanStack Router, TanStack Table, and TanStack Form are foundational libraries in the React ecosystem. They are dependencies of enterprise applications, SaaS platforms, and production dashboards across every industry. A 20-minute compromise window in these packages is not an academic exercise — it is a real-world credential theft event affecting production systems.
The frameworks most exposed are the ones most deeply integrated with the React/npm ecosystem. A Next.js application using TanStack Query for data fetching had a 20-minute window where npm install would compromise the build server. A Hugo site generating static HTML had zero exposure — no npm, no TanStack, no GitHub Actions OIDC tokens. The supply chain that does not exist cannot be forged, even with valid provenance certificates.
