T1195.001Compromise Software Dependencies and Development Tools
100%
“malicious tanstack package abuses postinstall script to steal developer secrets a malicious npm package named “ tanstack ” has been discovered deploying a stealthy data exfiltration campaign, targeting developers through a deceptive naming strategy and a hidden postinstall script…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1587Develop Capabilities
82%
“malicious tanstack package abuses postinstall script to steal developer secrets a malicious npm package named “ tanstack ” has been discovered deploying a stealthy data exfiltration campaign, targeting developers through a deceptive naming strategy and a hidden postinstall script…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
74%
“##ate api keys and tokens. - review cloud logs ( e. g., aws cloudtrail ) for suspicious activity. - audit ci / cd pipelines, as postinstall scripts execute during automated builds. - monitor outbound traffic to api. svix. com around installation time. no persistence mechanisms we…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.002Compromise Software Supply Chain
66%
“install. earlier version 2. 0. 3, published in march, showed no malicious behavior. the sudden introduction of the postinstall script marked the start of the attack. once triggered, the script silently reads environment files such as. env and. env. local from the developer ’ s sy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
60%
“install. earlier version 2. 0. 3, published in march, showed no malicious behavior. the sudden introduction of the postinstall script marked the start of the attack. once triggered, the script silently reads environment files such as. env and. env. local from the developer ’ s sy…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1195.001Compromise Software Dependencies and Development Tools
34%
“. env files, no opt - out mechanism. - 2. 0. 5 : temporary shift to harmless files ( likely testing exfiltration pipeline ). - 2. 0. 6 : most dangerous version, scanning all. env. * variants including production files. - 2. 0. 7 : reverts targeting but adds unusual self - depende…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1204.005Malicious Library
32%
“malicious tanstack package abuses postinstall script to steal developer secrets a malicious npm package named “ tanstack ” has been discovered deploying a stealthy data exfiltration campaign, targeting developers through a deceptive naming strategy and a hidden postinstall script…”
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
A malicious npm package named “tanstack” has been discovered deploying a stealthy data exfiltration campaign, targeting developers through a deceptive naming strategy and a hidden postinstall script. The package, impersonating the well-known TanStack ecosystem, was weaponized to steal sensitive environment files immediately after installation. The attacker registered the unscoped tanstack package name on npm, exploiting confusion with the legitimate @tanstack organization, […]