npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌

IT之家 5 月 12 日消息，网络安全检测机构 Socket 于当地时间 5 月 11 日发出警报，在开源工具库 TanStack 旗下约 84 个 NPM 软件包的恶意版本中发现疑似凭证窃取恶意代码。 受影响软件包覆盖 42 个 @tanstack/* 命名空间下的项目，其中 @tanstack / react-router 的周下载量超 1200 万次，此类工具包在 NPM 生态中被广泛直接或间接引用，使得本次供应链攻击具有极广的传播范围。 分析发现，被篡改的软件包中新增了一个约 2.3MB、经过高强度 JavaScript 混淆的文件 router_init.js，同时 package.json 中增加了一个指向 GitHub 特定提交的 optionalDependencies 依赖项。 该提交来自一个名为 voicproducoes 的 GitHub 账户，是一个无历史记录的单根提交，包含伪造的包 @tanstack / setup 及其 prepare 生命周期钩子，后者在被安装时会执行任意恶意代码。当开发者或 CI 系统执行包安装操作时，该钩子自动运行，从多个常用位置窃取密钥、令牌和凭据，包括 AWS IMDS 与 Secrets Manager、GCP 元数据、Kubernetes 服务账户令牌、Vault 令牌、~/.npmrc、GitHub 令牌以及 SSH 私钥。窃取的数据通过 Session / Oxen 加密文件上传网络外泄，攻击者同时植入持久化监控组件，能够在受害者机器上维持长期访问。 TanStack 在事后技术复盘中将攻击链归因于三种 GitHub Actions 漏洞的组合利用：攻击者利用 pull_request_target“Pwn Request”模式、跨 fork 缓存投毒以及从 GitHub Actions 运行器进程的内存中实时提取 OIDC 令牌。 在此过程中，NPM 凭证并未泄露，合法发布工作流也未遭攻破，恶意发布是通过项目的 OIDC 受信任发布者绑定进行身份验证后直接推送到 NPM 注册表完成的。 官方同时声明，受影响成员账户均启用了双重身份验证，但攻击者利用 Git 环境下孤儿提交方式绕过了现有的发布保护机制。所有恶意版本已被弃用，TanStack 已联系 NPM 安全团队从注册表中移除恶意压缩包，GitHub Actions 缓存条目也已清理。 本次攻击被安全机构归为正在蔓延的大规模“Mini Shai-Hulud”供应链攻击的一部分。此前该攻击曾针对 SAP 生态系统的 NPM 包，现已扩展为波及更广泛的 NPM 投毒活动。 据不完全统计，目前已受影响的软件包覆盖 @squawk、@tanstack、@uipath、@tallyui、@beproduct、@mistralai 等多个命名空间，共计超过 160 个包名、近 373 个恶意版本条目。 其中 @mistralai / mistralai（官方 TypeScript 客户端）和 @uipath / apollo-core 等企业级工具包亦被植入同类型窃取凭证的蠕虫，采用相同的下载 Bun 运行时并执行恶意载荷的传播机制。 软件包版本 pypi mistralai2.4.6 pypi mistralai2.4.6 npm@opensearch-projectopensearch3.5.3 npm@opensearch-projectopensearch3.8.0 npm@opensearch-projectopensearch3.7.0 pypi guardrails-ai0.10.1 pypi guardrails-ai0.10.1 npm@opensearch-projectopensearch3.6.2 npm cross-stitch1.1.7 npm@squawkfix-data0.6.8 npm@squawkweather0.5.10 npm@squawkicao-registry-data0.8.8 npm@squawkairport-data0.7.8 npm@squawkflightplan0.5.6 npm@squawkunits0.4.7 npm@squawkflight-math0.5.8 npm@squawkmcp0.9.5 npm@squawkfixes0.3.6 npm@squawkairspace-data0.5.7 npm@squawkprocedure-data0.7.7 npm@squawknavaids0.4.6 npm@squawkprocedures0.5.6 npm@squawknotams0.3.10 npm@squawkairways0.4.6 npm@squawkairports0.6.6 npm ts-dna3.0.5 npm@squawktypes0.8.5 npm@squawkicao-registry0.5.6 npm@squawkairspace0.8.5 npm@squawkgeo0.4.8 npm@squawknavaid-data0.6.8 npm@squawkairway-data0.5.8 npm@mistralaimistralai2.2.4 npm@squawkmcp0.9.4 npm@squawktypes0.8.3 npm@beproductnestjs-auth0.1.18 npm@squawkairspace-data0.5.5 npm ts-dna3.0.4 npm git-git-git1.0.12 npm@squawkairway-data0.5.7 npm@squawkairports0.6.5 npm git-branch-selector1.3.7 npm@tallyuipos0.1.3 npm@tallyuiconnector-vendure1.0.3 npm cross-stitch1.1.5 npm@supersurkhetcli0.0.7 npm@squawkmcp0.9.3 npm@squawkflightplan0.5.5 npm@squawkfix-data0.6.7 npm@squawkairspace-data0.5.6 npm git-branch-selector1.3.6 npm@taskflow-corpcli0.1.29 npm@squawkicao-registry-data0.8.6 npm@squawkgeo0.4.7 npm@squawkairport-data0.7.7 npm@squawkweather0.5.8 npm@squawkgeo0.4.6 npm@squawkflight-math0.5.7 npm@squawkicao-registry0.5.5 npm@beproductnestjs-auth0.1.19 npm nextmove-mcp0.1.7 npm@squawkairways0.4.4 npm@tolkacli1.0.5 npm@squawkairways0.4.5 npm@squawkfixes0.3.5 npm cmux-agent-mcp0.1.8 npm@tallyuiconnector-shopify1.0.3 npm@squawkflight-math0.5.6 npm@squawkicao-registry0.5.4 npm@tallyuicomponents1.0.3 npm@squawknavaids0.4.5 npm cross-stitch1.1.6 npm@squawknotams0.3.9 npm@squawknotams0.3.8 npm@tallyuitheme0.2.3 npm@squawknavaids0.4.4 npm wot-api0.8.3 npm@squawkicao-registry-data0.8.7 npm@tolkacli1.0.6 npm@supersurkhetsdk0.0.7 npm@squawkairspace0.8.3 npm@squawkprocedure-data0.7.5 npm@squawktypes0.8.4 npm@squawkunits0.4.5 npm@squawkairspace0.8.4 npm@squawkprocedures0.5.4 npm@squawkflightplan0.5.4 npm@squawkfixes0.3.4 npm@squawkprocedures0.5.5 npm@tallyuistorage-sqlite0.2.3 npm@tallyuiconnector-woocommerce1.0.3 npm@squawkunits0.4.6 npm@tallyuidatabase1.0.3 npm@squawknavaid-data0.6.7 npm@squawkairport-data0.7.6 npm@squawkprocedure-data0.7.6 npm@squawkairports0.6.4 npm@tallyuiconnector-medusa1.0.3 npm@squawkairway-data0.5.6 npm git-git-git1.0.11 npm nextmove-mcp0.1.6 npm wot-api0.8.4 npm@squawkweather0.5.9 npm ts-dna3.0.3 npm@squawknavaid-data0.6.6 npm@squawkfix-data0.6.6 npm@tallyuicore0.2.3 npm@mistralaimistralai2.2.3 npm@mistralaimistralai2.2.2 npm@mistralaimistralai-azure1.7.3 npm@mistralaimistralai-gcp1.7.3 npm git-git-git1.0.10 npm nextmove-mcp0.1.5 npm@supersurkhetsdk0.0.6 npm@taskflow-corpcli0.1.28 npm cmux-agent-mcp0.1.7 npm@squawkmcp0.9.2 npm cross-stitch1.1.4 npm@supersurkhetcli0.0.6 npm@squawkairspace-data0.5.4 npm@tallyuitheme0.2.2 npm@squawktypes0.8.2 npm@squawkgeo0.4.5 npm@tallyuiconnector-medusa1.0.2 npm@squawkairspace0.8.2 npm@tallyuiconnector-woocommerce1.0.2 npm@squawkairway-data0.5.5 npm@tallyuipos0.1.2 npm@tallyuicomponents1.0.2 npm@squawkflight-math0.5.5 npm@squawkfix-data0.6.5 npm@squawkfixes0.3.3 npm@tallyuiconnector-vendure1.0.2 npm@squawkprocedures0.5.3 npm@squawkweather0.5.7 npm@squawkicao-registry0.5.3 npm@tallyuidatabase1.0.2 npm@squawkairways0.4.3 npm@squawkairport-data0.7.5 npm@squawkflightplan0.5.3 npm@tallyuiconnector-shopify1.0.2 npm@tallyuistorage-sqlite0.2.2 npm ts-dna3.0.2 npm wot-api0.8.2 npm@squawkunits0.4.4 npm@squawkprocedure-data0.7.4 npm@squawknavaid-data0.6.5 npm@squawknotams0.3.7 npm@squawkicao-registry-data0.8.5 npm@squawkairports0.6.3 npm@squawknavaids0.4.3 npm@beproductnestjs-auth0.1.17 npm git-branch-selector1.3.5 npm@tolkacli1.0.4 npm@mistralaimistralai-gcp1.7.1 npm@mistralaimistralai-gcp1.7.2 npm@mistralaimistralai-azure1.7.1 npm@mistralaimistralai-azure1.7.2 npm@tallyuicore0.2.2 npm@mesadevsaguaro0.4.22 npm@mesadevsdk0.28.3 npm@mesadevrest0.28.3 npm cross-stitch1.1.3 npm ts-dna3.0.1 npm@squawkmcp0.9.1 npm wot-api0.8.1 npm@squawknotams0.3.6 npm@squawkairways0.4.2 npm@squawkflightplan0.5.2 npm@squawkweather0.5.6 npm@squawkflight-math0.5.4 npm@squawkairway-data0.5.4 npm@squawkprocedures0.5.2 npm@squawkicao-registry-data0.8.4 npm@squawkunits0.4.3 npm@squawknavaids0.4.2 npm@squawktypes0.8.1 npm@squawkfix-data0.6.4 npm@squawknavaid-data0.6.4 npm@squawkicao-registry0.5.2 npm@squawkfixes0.3.2 npm@squawkgeo0.4.4 npm@squawkprocedure-data0.7.3 npm@squawkairspace-data0.5.3 npm@squawkairports0.6.2 npm@squawkairspace0.8.1 npm@squawkairport-data0.7.4 npm@tolkacli1.0.3 npm git-branch-selector1.3.4 npm nextmove-mcp0.1.4 npm git-git-git1.0.9 npm@tallyuitheme0.2.1 npm@tallyuipos0.1.1 npm@tallyuiconnector-medusa1.0.1 npm@tallyuicomponents1.0.1 npm@tallyuiconnector-shopify1.0.1 npm@tallyuicore0.2.1 npm@tallyuidatabase1.0.1 npm@tallyuiconnector-vendure1.0.1 npm@tallyuistorage-sqlite0.2.1 npm@tallyuiconnector-woocommerce1.0.1 npm@uipathapollo-react4.24.5 npm@uipathagent.sdk0.0.18 npm@uipathapollo-core5.9.2 npm@uipathapollo-wind2.16.2 npm@uipathtool-workflowcompiler0.0.12 npm@uipathfilesystem1.0.1 npm@uipathrobot1.3.4 npm@uipathtelemetry0.0.7 npm@uipathintegrationservice-sdk1.0.2 npm@uipathap-chat1.5.7 npm@uipathwidget.sdk1.2.3 npm@uipathagent-sdk1.0.2 npm@uipathpackager-tool-apiworkflow0.0.19 npm@uipathcase-tool1.0.1 npm@uipathcodedagents-tool0.1.12 npm@uipathapi-workflow-tool1.0.1 npm@uipathcontext-grounding-tool0.1.1 npm@uipathpackager-tool-workflowcompiler-browser0.0.34 npm@uipathpackager-tool-workflowcompiler0.0.16 npm@uipathaops-policy-tool0.3.1 npm@uipathflow-tool1.0.2 npm@uipathresourcecatalog-tool0.1.1 npm@uipathvertical-solutions-tool1.0.1 npm@uipathdata-fabric-tool1.0.2 npm@uipathpackager-tool-case0.0.9 npm@uipathcodedagent-tool1.0.1 npm@uipathui-widgets-multi-file-upload1.0.1 npm@uipathdocsai-tool1.0.1 npm@uipathinsights-tool1.0.1 npm@uipathsolutionpackager-sdk1.0.11 npm@uipathauth1.0.1 npm@uipathmaestro-tool1.0.1 npm@uipathcli1.0.1 npm@uipathllmgw-tool1.0.1 npm@uipathresource-tool1.0.1 npm@uipathpackager-tool-flow0.0.19 npm@uipathcommon1.0.1 npm@uipathgov-tool0.3.1 npm@uipathtraces-tool1.0.1 npm@uipathpackager-tool-bpmn0.0.9 npm@uipathinsights-sdk1.0.1 npm@uipathadmin-tool0.1.1 npm@uipathpackager-tool-webapp1.0.6 npm@uipathsolutionpackager-tool-core0.0.34 npm@uipathvss0.1.6 npm@uipathorchestrator-tool1.0.1 npm@uipathsolution-packager0.0.35 npm@uipathuipath-python-bridge1.0.1 npm@uipathcodedapp-tool1.0.1 npm@uipathproject-packager1.1.16 npm@uipathintegrationservice-tool1.0.2 npm@uipathpackager-tool-functions0.1.1 npm@uipathtasks-tool1.0.1 npm@uipathsolution-tool1.0.1 npm@uipathpackager-tool-connector0.0.19 npm@uipathmaestro-sdk1.0.1 npm@uipathtest-manager-tool1.0.2 npm@uipathagent-tool1.0.1 npm@uipathfunctions-tool1.0.1 npm@uipathidentity-tool0.1.1 npm@uipathaccess-policy-tool0.3.1 npm@uipathresources-tool0.1.11 npm@uipathrpa-tool0.9.5 npm@uipathrpa-legacy-tool1.0.1 npm@uipathaccess-policy-sdk0.3.1 npm@uipathplatform-tool1.0.1 npm@beproductnestjs-auth0.1.16 npm@beproductnestjs-auth0.1.15 npm@dirigible-aisdk0.6.3 npm@dirigible-aisdk0.6.2 npm@beproductnestjs-auth0.1.13 npm@beproductnestjs-auth0.1.14 npm@beproductnestjs-auth0.1.8 npm@beproductnestjs-auth0.1.6 npm@beproductnestjs-auth0.1.9 npm@beproductnestjs-auth0.1.2 npm@beproductnestjs-auth0.1.5 npm@beproductnestjs-auth0.1.11 npm@beproductnestjs-auth0.1.4 npm@beproductnestjs-auth0.1.3 npm@beproductnestjs-auth0.1.7 npm@beproductnestjs-auth0.1.10 npm@beproductnestjs-auth0.1.12 npm@ml-toolkit-tspreprocessing1.0.2 npm@ml-toolkit-tspreprocessing1.0.3 npm@ml-toolkit-tsxgboost1.0.3 npm ml-toolkit-ts1.0.5 npm@ml-toolkit-tsxgboost1.0.4 npm ml-toolkit-ts1.0.4 npm agentwork-cli0.1.4 npm agentwork-cli0.1.5 npm@taskflow-corpcli0.1.27 npm cmux-agent-mcp0.1.6 npm@supersurkhetcli0.0.5 npm@supersurkhetsdk0.0.5 npm@taskflow-corpcli0.1.26 npm@supersurkhetcli0.0.4 npm cmux-agent-mcp0.1.5 npm@supersurkhetsdk0.0.4 npm@draftlabauth0.24.2 npm@draftlabauth0.24.1 npm@draftauthcore0.13.1 npm@draftauthcore0.13.2 npm@draftauthclient0.2.2 npm@draftauthclient0.2.1 npm@draftlabdb0.16.2 npm safe-action0.8.4 npm@draftlabauth-router0.5.1 npm@draftlabauth-router0.5.2 npm@draftlabdb0.16.1 npm safe-action0.8.3 npm@taskflow-corpcli0.1.25 npm cmux-agent-mcp0.1.4 npm@supersurkhetcli0.0.3 npm@supersurkhetsdk0.0.3 npm@taskflow-corpcli0.1.24 npm@supersurkhetcli0.0.2 npm cmux-agent-mcp0.1.3 npm@supersurkhetsdk0.0.2 npm git-git-git1.0.8 npm@tolkacli1.0.2 npm git-branch-selector1.3.3 npm nextmove-mcp0.1.3 npm@tanstackreact-router1.169.8 npm@tanstacksolid-router1.169.8 npm@tanstackrouter-core1.169.8 npm@tanstackstart-plugin-core1.169.26 npm@tanstackvue-router1.169.8 npm@tanstackrouter-plugin1.167.41 npm@tanstackvue-start-client1.166.49 npm@tanstackreact-start-rsc0.0.50 npm@tanstackstart-client-core1.168.8 npm@tanstackeslint-plugin-start0.0.7 npm@tanstackreact-start1.167.71 npm@tanstackrouter-generator1.166.48 npm@tanstackeslint-plugin-router1.161.12 npm@tanstackrouter-devtools-core1.167.9 npm@tanstackvue-start1.167.64 npm@tanstackstart-server-core1.167.36 npm@tanstacksolid-start-server1.166.57 npm@tanstackstart-storage-context1.166.41 npm@tanstacksolid-start-client1.166.53 npm@tanstacksolid-start1.167.68 npm@tanstackrouter-ssr-query-core1.168.6 npm@tanstackvirtual-file-routes1.161.13 npm@tanstackreact-router-ssr-query1.166.18 npm@tanstacknitro-v2-vite-plugin1.154.15 npm@tanstackvue-start-server1.166.53 npm@tanstacksolid-router-ssr-query1.166.18 npm@tanstackreact-start-server1.166.58 npm@tanstackreact-start-client1.166.54 npm@tanstackstart-fn-stubs1.161.12 npm@tanstackrouter-utils1.161.14 npm@tanstackreact-router-devtools1.166.19 npm@tanstacksolid-router-devtools1.166.19 npm@tanstackhistory1.161.12 npm@tanstackrouter-cli1.166.49 npm@tanstackarktype-adapter1.166.15 npm@tanstackvue-router-devtools1.166.19 npm@tanstackzod-adapter1.166.15 npm@tanstackvue-router-ssr-query1.166.18 npm@tanstackstart-static-server-functions1.166.47 npm@tanstackrouter-vite-plugin1.166.56 npm@tanstackvalibot-adapter1.166.15 npm@tanstackrouter-devtools1.166.19 npm@tanstacksolid-router1.169.5 npm@tanstackstart-plugin-core1.169.23 npm@tanstackrouter-core1.169.5 npm@tanstackvue-router1.169.5 npm@tanstackreact-router1.169.5 npm@tanstackrouter-plugin1.167.38 npm@tanstackeslint-plugin-start0.0.4 npm@tanstackeslint-plugin-router1.161.9 npm@tanstackreact-start-rsc0.0.47 npm@tanstackreact-start1.167.68 npm@tanstackrouter-generator1.166.45 npm@tanstackstart-client-core1.168.5 npm@tanstackrouter-devtools-core1.167.6 npm@tanstackrouter-utils1.161.11 npm@tanstackvue-router-ssr-query1.166.15 npm@tanstackarktype-adapter1.166.12 npm@tanstackstart-server-core1.167.33 npm@tanstacksolid-start1.167.65 npm@tanstackreact-router-devtools1.166.16 npm@tanstacksolid-router-devtools1.166.16 npm@tanstackrouter-cli1.166.46 npm@tanstacksolid-start-server1.166.54 npm@tanstackvue-router-devtools1.166.16 npm@tanstackvirtual-file-routes1.161.10 npm@tanstackrouter-ssr-query-core1.168.3 npm@tanstackrouter-vite-plugin1.166.53 npm@tanstacknitro-v2-vite-plugin1.154.12 npm@tanstackstart-fn-stubs1.161.9 npm@tanstackhistory1.161.9 npm@tanstackreact-router-ssr-query1.166.15 npm@tanstackzod-adapter1.166.12 npm@tanstackvalibot-adapter1.166.12 npm@tanstacksolid-router-ssr-query1.166.15 npm@tanstackreact-start-client1.166.51 npm@tanstackrouter-devtools1.166.16 npm@tanstackreact-start-server1.166.55 npm@tanstacksolid-start-client1.166.50 npm@tanstackvue-start1.167.61 npm@tanstackstart-storage-context1.166.38 npm@tanstackstart-static-server-functions1.166.44 npm@tanstackvue-start-client1.166.46 npm@tanstackvue-start-server1.166.50 composerintercomintercom-php5.0.2 npm intercom-client7.0.4 pypi lightning2.6.3 pypi lightning2.6.2 npm@cap-jsdb-service2.10.1 npm@cap-jspostgres2.2.2 npm@cap-jssqlite2.2.2 npm mbt1.2.48 对于开发者和运维团队，官方与安全机构给出了多项立即执行的应急措施： 对受影响的安装主机，应立即按优先级轮换 NPM 令牌、GitHub 个人访问令牌、云服务密钥（IT之家注：AWS / GCP / Azure）、Kubernetes 服务账户令牌以及 SSH 私钥； 审查开发者和项目根目录下的.claude/ 与.vscode/ 文件夹，移除 router_runtime.js 等陌生条目； 使用 git log --all --author=claude@users.noreply.github.com 审核仓库是否存在未授权的提交； 限制 GitHub Actions 中 OIDC 令牌的作用域，对所有不需要 OIDC 发布的工作流设置 permissions: id-token:none； 此外，开发者不应单纯信任 Sigstore 来源证明作为安全信号，因为攻击者在具备 GitHub Actions 执行能力后，同样能够生成有效的 Sigstore 证明用于恶意包。 安全团队通过 SHA-256 校验命令 shasum -a 256 在所有依赖树中搜索标识为 ab4fcada…… 的 router_init.js 文件，亦可用于确认是否引入恶意版本。

This page shows a summary and AI analysis only. For the full original article, use the “Read Original” button above.