npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌

5 月 12 日消息，网络安全检测机构 Socket 于当地时间 5 月 11 日发出警报，在开源工具库 TanStack 旗下约 84 个 NPM 软件包的恶意版本中发现疑似凭证窃取恶意代码。

受影响软件包覆盖 42 个 @tanstack/* 命名空间下的项目，其中 @tanstack / react-router 的周下载量超 1200 万次，此类工具包在 NPM 生态中被广泛直接或间接引用，使得本次供应链攻击具有极广的传播范围。

分析发现，被篡改的软件包中新增了一个约 2.3MB、经过高强度 JavaScript 混淆的文件 router_init.js，同时 package.json 中增加了一个指向 GitHub 特定提交的 optionalDependencies 依赖项。

该提交来自一个名为 voicproducoes 的 GitHub 账户，是一个无历史记录的单根提交，包含伪造的包 @tanstack / setup 及其 prepare 生命周期钩子，后者在被安装时会执行任意恶意代码。当开发者或 CI 系统执行包安装操作时，该钩子自动运行，从多个常用位置窃取密钥、令牌和凭据，包括 AWS IMDS 与 Secrets Manager、GCP 元数据、Kubernetes 服务账户令牌、Vault 令牌、~/.npmrc、GitHub 令牌以及 SSH 私钥。窃取的数据通过 Session / Oxen 加密文件上传网络外泄，攻击者同时植入持久化监控组件，能够在受害者机器上维持长期访问。

TanStack 在事后技术复盘中将攻击链归因于三种 GitHub Actions 漏洞的组合利用：攻击者利用 pull_request_target“Pwn Request”模式、跨 fork 缓存投毒以及从 GitHub Actions 运行器进程的内存中实时提取 OIDC 令牌。

在此过程中，NPM 凭证并未泄露，合法发布工作流也未遭攻破，恶意发布是通过项目的 OIDC 受信任发布者绑定进行身份验证后直接推送到 NPM 注册表完成的。

官方同时声明，受影响成员账户均启用了双重身份验证，但攻击者利用 Git 环境下孤儿提交方式绕过了现有的发布保护机制。所有恶意版本已被弃用，TanStack 已联系 NPM 安全团队从注册表中移除恶意压缩包，GitHub Actions 缓存条目也已清理。

本次攻击被安全机构归为正在蔓延的大规模“Mini Shai-Hulud”供应链攻击的一部分。此前该攻击曾针对 SAP 生态系统的 NPM 包，现已扩展为波及更广泛的 NPM 投毒活动。

据不完全统计，目前已受影响的软件包覆盖 @squawk、@tanstack、@uipath、@tallyui、@beproduct、@mistralai 等多个命名空间，共计超过 160 个包名、近 373 个恶意版本条目。

其中 @mistralai / mistralai（官方 TypeScript 客户端）和 @uipath / apollo-core 等企业级工具包亦被植入同类型窃取凭证的蠕虫，采用相同的下载 Bun 运行时并执行恶意载荷的传播机制。

软件包版本pypi
mistralai2.4.6pypi
mistralai2.4.6npm@opensearch-projectopensearch3.5.3npm@opensearch-projectopensearch3.8.0npm@opensearch-projectopensearch3.7.0pypi
guardrails-ai0.10.1pypi
guardrails-ai0.10.1npm@opensearch-projectopensearch3.6.2npm
cross-stitch1.1.7npm@squawkfix-data0.6.8npm@squawkweather0.5.10npm@squawkicao-registry-data0.8.8npm@squawkairport-data0.7.8npm@squawkflightplan0.5.6npm@squawkunits0.4.7npm@squawkflight-math0.5.8npm@squawkmcp0.9.5npm@squawkfixes0.3.6npm@squawkairspace-data0.5.7npm@squawkprocedure-data0.7.7npm@squawknavaids0.4.6npm@squawkprocedures0.5.6npm@squawknotams0.3.10npm@squawkairways0.4.6npm@squawkairports0.6.6npm
ts-dna3.0.5npm@squawktypes0.8.5npm@squawkicao-registry0.5.6npm@squawkairspace0.8.5npm@squawkgeo0.4.8npm@squawknavaid-data0.6.8npm@squawkairway-data0.5.8npm@mistralaimistralai2.2.4npm@squawkmcp0.9.4npm@squawktypes0.8.3npm@beproductnestjs-auth0.1.18npm@squawkairspace-data0.5.5npm
ts-dna3.0.4npm
git-git-git1.0.12npm@squawkairway-data0.5.7npm@squawkairports0.6.5npm
git-branch-selector1.3.7npm@tallyuipos0.1.3npm@tallyuiconnector-vendure1.0.3npm
cross-stitch1.1.5npm@supersurkhetcli0.0.7npm@squawkmcp0.9.3npm@squawkflightplan0.5.5npm@squawkfix-data0.6.7npm@squawkairspace-data0.5.6npm
git-branch-selector1.3.6npm@taskflow-corpcli0.1.29npm@squawkicao-registry-data0.8.6npm@squawkgeo0.4.7npm@squawkairport-data0.7.7npm@squawkweather0.5.8npm@squawkgeo0.4.6npm@squawkflight-math0.5.7npm@squawkicao-registry0.5.5npm@beproductnestjs-auth0.1.19npm
nextmove-mcp0.1.7npm@squawkairways0.4.4npm@tolkacli1.0.5npm@squawkairways0.4.5npm@squawkfixes0.3.5npm
cmux-agent-mcp0.1.8npm@tallyuiconnector-shopify1.0.3npm@squawkflight-math0.5.6npm@squawkicao-registry0.5.4npm@tallyuicomponents1.0.3npm@squawknavaids0.4.5npm
cross-stitch1.1.6npm@squawknotams0.3.9npm@squawknotams0.3.8npm@tallyuitheme0.2.3npm@squawknavaids0.4.4npm
wot-api0.8.3npm@squawkicao-registry-data0.8.7npm@tolkacli1.0.6npm@supersurkhetsdk0.0.7npm@squawkairspace0.8.3npm@squawkprocedure-data0.7.5npm@squawktypes0.8.4npm@squawkunits0.4.5npm@squawkairspace0.8.4npm@squawkprocedures0.5.4npm@squawkflightplan0.5.4npm@squawkfixes0.3.4npm@squawkprocedures0.5.5npm@tallyuistorage-sqlite0.2.3npm@tallyuiconnector-woocommerce1.0.3npm@squawkunits0.4.6npm@tallyuidatabase1.0.3npm@squawknavaid-data0.6.7npm@squawkairport-data0.7.6npm@squawkprocedure-data0.7.6npm@squawkairports0.6.4npm@tallyuiconnector-medusa1.0.3npm@squawkairway-data0.5.6npm
git-git-git1.0.11npm
nextmove-mcp0.1.6npm
wot-api0.8.4npm@squawkweather0.5.9npm
ts-dna3.0.3npm@squawknavaid-data0.6.6npm@squawkfix-data0.6.6npm@tallyuicore0.2.3npm@mistralaimistralai2.2.3npm@mistralaimistralai2.2.2npm@mistralaimistralai-azure1.7.3npm@mistralaimistralai-gcp1.7.3npm
git-git-git1.0.10npm
nextmove-mcp0.1.5npm@supersurkhetsdk0.0.6npm@taskflow-corpcli0.1.28npm
cmux-agent-mcp0.1.7npm@squawkmcp0.9.2npm
cross-stitch1.1.4npm@supersurkhetcli0.0.6npm@squawkairspace-data0.5.4npm@tallyuitheme0.2.2npm@squawktypes0.8.2npm@squawkgeo0.4.5npm@tallyuiconnector-medusa1.0.2npm@squawkairspace0.8.2npm@tallyuiconnector-woocommerce1.0.2npm@squawkairway-data0.5.5npm@tallyuipos0.1.2npm@tallyuicomponents1.0.2npm@squawkflight-math0.5.5npm@squawkfix-data0.6.5npm@squawkfixes0.3.3npm@tallyuiconnector-vendure1.0.2npm@squawkprocedures0.5.3npm@squawkweather0.5.7npm@squawkicao-registry0.5.3npm@tallyuidatabase1.0.2npm@squawkairways0.4.3npm@squawkairport-data0.7.5npm@squawkflightplan0.5.3npm@tallyuiconnector-shopify1.0.2npm@tallyuistorage-sqlite0.2.2npm
ts-dna3.0.2npm
wot-api0.8.2npm@squawkunits0.4.4npm@squawkprocedure-data0.7.4npm@squawknavaid-data0.6.5npm@squawknotams0.3.7npm@squawkicao-registry-data0.8.5npm@squawkairports0.6.3npm@squawknavaids0.4.3npm@beproductnestjs-auth0.1.17npm
git-branch-selector1.3.5npm@tolkacli1.0.4npm@mistralaimistralai-gcp1.7.1npm@mistralaimistralai-gcp1.7.2npm@mistralaimistralai-azure1.7.1npm@mistralaimistralai-azure1.7.2npm@tallyuicore0.2.2npm@mesadevsaguaro0.4.22npm@mesadevsdk0.28.3npm@mesadevrest0.28.3npm
cross-stitch1.1.3npm
ts-dna3.0.1npm@squawkmcp0.9.1npm
wot-api0.8.1npm@squawknotams0.3.6npm@squawkairways0.4.2npm@squawkflightplan0.5.2npm@squawkweather0.5.6npm@squawkflight-math0.5.4npm@squawkairway-data0.5.4npm@squawkprocedures0.5.2npm@squawkicao-registry-data0.8.4npm@squawkunits0.4.3npm@squawknavaids0.4.2npm@squawktypes0.8.1npm@squawkfix-data0.6.4npm@squawknavaid-data0.6.4npm@squawkicao-registry0.5.2npm@squawkfixes0.3.2npm@squawkgeo0.4.4npm@squawkprocedure-data0.7.3npm@squawkairspace-data0.5.3npm@squawkairports0.6.2npm@squawkairspace0.8.1npm@squawkairport-data0.7.4npm@tolkacli1.0.3npm
git-branch-selector1.3.4npm
nextmove-mcp0.1.4npm
git-git-git1.0.9npm@tallyuitheme0.2.1npm@tallyuipos0.1.1npm@tallyuiconnector-medusa1.0.1npm@tallyuicomponents1.0.1npm@tallyuiconnector-shopify1.0.1npm@tallyuicore0.2.1npm@tallyuidatabase1.0.1npm@tallyuiconnector-vendure1.0.1npm@tallyuistorage-sqlite0.2.1npm@tallyuiconnector-woocommerce1.0.1npm@uipathapollo-react4.24.5npm@uipathagent.sdk0.0.18npm@uipathapollo-core5.9.2npm@uipathapollo-wind2.16.2npm@uipathtool-workflowcompiler0.0.12npm@uipathfilesystem1.0.1npm@uipathrobot1.3.4npm@uipathtelemetry0.0.7npm@uipathintegrationservice-sdk1.0.2npm@uipathap-chat1.5.7npm@uipathwidget.sdk1.2.3npm@uipathagent-sdk1.0.2npm@uipathpackager-tool-apiworkflow0.0.19npm@uipathcase-tool1.0.1npm@uipathcodedagents-tool0.1.12npm@uipathapi-workflow-tool1.0.1npm@uipathcontext-grounding-tool0.1.1npm@uipathpackager-tool-workflowcompiler-browser0.0.34npm@uipathpackager-tool-workflowcompiler0.0.16npm@uipathaops-policy-tool0.3.1npm@uipathflow-tool1.0.2npm@uipathresourcecatalog-tool0.1.1npm@uipathvertical-solutions-tool1.0.1npm@uipathdata-fabric-tool1.0.2npm@uipathpackager-tool-case0.0.9npm@uipathcodedagent-tool1.0.1npm@uipathui-widgets-multi-file-upload1.0.1npm@uipathdocsai-tool1.0.1npm@uipathinsights-tool1.0.1npm@uipathsolutionpackager-sdk1.0.11npm@uipathauth1.0.1npm@uipathmaestro-tool1.0.1npm@uipathcli1.0.1npm@uipathllmgw-tool1.0.1npm@uipathresource-tool1.0.1npm@uipathpackager-tool-flow0.0.19npm@uipathcommon1.0.1npm@uipathgov-tool0.3.1npm@uipathtraces-tool1.0.1npm@uipathpackager-tool-bpmn0.0.9npm@uipathinsights-sdk1.0.1npm@uipathadmin-tool0.1.1npm@uipathpackager-tool-webapp1.0.6npm@uipathsolutionpackager-tool-core0.0.34npm@uipathvss0.1.6npm@uipathorchestrator-tool1.0.1npm@uipathsolution-packager0.0.35npm@uipathuipath-python-bridge1.0.1npm@uipathcodedapp-tool1.0.1npm@uipathproject-packager1.1.16npm@uipathintegrationservice-tool1.0.2npm@uipathpackager-tool-functions0.1.1npm@uipathtasks-tool1.0.1npm@uipathsolution-tool1.0.1npm@uipathpackager-tool-connector0.0.19npm@uipathmaestro-sdk1.0.1npm@uipathtest-manager-tool1.0.2npm@uipathagent-tool1.0.1npm@uipathfunctions-tool1.0.1npm@uipathidentity-tool0.1.1npm@uipathaccess-policy-tool0.3.1npm@uipathresources-tool0.1.11npm@uipathrpa-tool0.9.5npm@uipathrpa-legacy-tool1.0.1npm@uipathaccess-policy-sdk0.3.1npm@uipathplatform-tool1.0.1npm@beproductnestjs-auth0.1.16npm@beproductnestjs-auth0.1.15npm@dirigible-aisdk0.6.3npm@dirigible-aisdk0.6.2npm@beproductnestjs-auth0.1.13npm@beproductnestjs-auth0.1.14npm@beproductnestjs-auth0.1.8npm@beproductnestjs-auth0.1.6npm@beproductnestjs-auth0.1.9npm@beproductnestjs-auth0.1.2npm@beproductnestjs-auth0.1.5npm@beproductnestjs-auth0.1.11npm@beproductnestjs-auth0.1.4npm@beproductnestjs-auth0.1.3npm@beproductnestjs-auth0.1.7npm@beproductnestjs-auth0.1.10npm@beproductnestjs-auth0.1.12npm@ml-toolkit-tspreprocessing1.0.2npm@ml-toolkit-tspreprocessing1.0.3npm@ml-toolkit-tsxgboost1.0.3npm
ml-toolkit-ts1.0.5npm@ml-toolkit-tsxgboost1.0.4npm
ml-toolkit-ts1.0.4npm
agentwork-cli0.1.4npm
agentwork-cli0.1.5npm@taskflow-corpcli0.1.27npm
cmux-agent-mcp0.1.6npm@supersurkhetcli0.0.5npm@supersurkhetsdk0.0.5npm@taskflow-corpcli0.1.26npm@supersurkhetcli0.0.4npm
cmux-agent-mcp0.1.5npm@supersurkhetsdk0.0.4npm@draftlabauth0.24.2npm@draftlabauth0.24.1npm@draftauthcore0.13.1npm@draftauthcore0.13.2npm@draftauthclient0.2.2npm@draftauthclient0.2.1npm@draftlabdb0.16.2npm
safe-action0.8.4npm@draftlabauth-router0.5.1npm@draftlabauth-router0.5.2npm@draftlabdb0.16.1npm
safe-action0.8.3npm@taskflow-corpcli0.1.25npm
cmux-agent-mcp0.1.4npm@supersurkhetcli0.0.3npm@supersurkhetsdk0.0.3npm@taskflow-corpcli0.1.24npm@supersurkhetcli0.0.2npm
cmux-agent-mcp0.1.3npm@supersurkhetsdk0.0.2npm
git-git-git1.0.8npm@tolkacli1.0.2npm
git-branch-selector1.3.3npm
nextmove-mcp0.1.3npm@tanstackreact-router1.169.8npm@tanstacksolid-router1.169.8npm@tanstackrouter-core1.169.8npm@tanstackstart-plugin-core1.169.26npm@tanstackvue-router1.169.8npm@tanstackrouter-plugin1.167.41npm@tanstackvue-start-client1.166.49npm@tanstackreact-start-rsc0.0.50npm@tanstackstart-client-core1.168.8npm@tanstackeslint-plugin-start0.0.7npm@tanstackreact-start1.167.71npm@tanstackrouter-generator1.166.48npm@tanstackeslint-plugin-router1.161.12npm@tanstackrouter-devtools-core1.167.9npm@tanstackvue-start1.167.64npm@tanstackstart-server-core1.167.36npm@tanstacksolid-start-server1.166.57npm@tanstackstart-storage-context1.166.41npm@tanstacksolid-start-client1.166.53npm@tanstacksolid-start1.167.68npm@tanstackrouter-ssr-query-core1.168.6npm@tanstackvirtual-file-routes1.161.13npm@tanstackreact-router-ssr-query1.166.18npm@tanstacknitro-v2-vite-plugin1.154.15npm@tanstackvue-start-server1.166.53npm@tanstacksolid-router-ssr-query1.166.18npm@tanstackreact-start-server1.166.58npm@tanstackreact-start-client1.166.54npm@tanstackstart-fn-stubs1.161.12npm@tanstackrouter-utils1.161.14npm@tanstackreact-router-devtools1.166.19npm@tanstacksolid-router-devtools1.166.19npm@tanstackhistory1.161.12npm@tanstackrouter-cli1.166.49npm@tanstackarktype-adapter1.166.15npm@tanstackvue-router-devtools1.166.19npm@tanstackzod-adapter1.166.15npm@tanstackvue-router-ssr-query1.166.18npm@tanstackstart-static-server-functions1.166.47npm@tanstackrouter-vite-plugin1.166.56npm@tanstackvalibot-adapter1.166.15npm@tanstackrouter-devtools1.166.19npm@tanstacksolid-router1.169.5npm@tanstackstart-plugin-core1.169.23npm@tanstackrouter-core1.169.5npm@tanstackvue-router1.169.5npm@tanstackreact-router1.169.5npm@tanstackrouter-plugin1.167.38npm@tanstackeslint-plugin-start0.0.4npm@tanstackeslint-plugin-router1.161.9npm@tanstackreact-start-rsc0.0.47npm@tanstackreact-start1.167.68npm@tanstackrouter-generator1.166.45npm@tanstackstart-client-core1.168.5npm@tanstackrouter-devtools-core1.167.6npm@tanstackrouter-utils1.161.11npm@tanstackvue-router-ssr-query1.166.15npm@tanstackarktype-adapter1.166.12npm@tanstackstart-server-core1.167.33npm@tanstacksolid-start1.167.65npm@tanstackreact-router-devtools1.166.16npm@tanstacksolid-router-devtools1.166.16npm@tanstackrouter-cli1.166.46npm@tanstacksolid-start-server1.166.54npm@tanstackvue-router-devtools1.166.16npm@tanstackvirtual-file-routes1.161.10npm@tanstackrouter-ssr-query-core1.168.3npm@tanstackrouter-vite-plugin1.166.53npm@tanstacknitro-v2-vite-plugin1.154.12npm@tanstackstart-fn-stubs1.161.9npm@tanstackhistory1.161.9npm@tanstackreact-router-ssr-query1.166.15npm@tanstackzod-adapter1.166.12npm@tanstackvalibot-adapter1.166.12npm@tanstacksolid-router-ssr-query1.166.15npm@tanstackreact-start-client1.166.51npm@tanstackrouter-devtools1.166.16npm@tanstackreact-start-server1.166.55npm@tanstacksolid-start-client1.166.50npm@tanstackvue-start1.167.61npm@tanstackstart-storage-context1.166.38npm@tanstackstart-static-server-functions1.166.44npm@tanstackvue-start-client1.166.46npm@tanstackvue-start-server1.166.50composerintercomintercom-php5.0.2npm
intercom-client7.0.4pypi
lightning2.6.3pypi
lightning2.6.2npm@cap-jsdb-service2.10.1npm@cap-jspostgres2.2.2npm@cap-jssqlite2.2.2npm
mbt1.2.48

对于开发者和运维团队，官方与安全机构给出了多项立即执行的应急措施：

• 对受影响的安装主机，应立即按优先级轮换 NPM 令牌、GitHub 个人访问令牌、云服务密钥（注：AWS / GCP / Azure）、Kubernetes 服务账户令牌以及 SSH 私钥；

• 审查开发者和项目根目录下的.claude/ 与.vscode/ 文件夹，移除 router_runtime.js 等陌生条目；

• 使用 git log --all --author=claude@users.noreply.github.com 审核仓库是否存在未授权的提交；

• 限制 GitHub Actions 中 OIDC 令牌的作用域，对所有不需要 OIDC 发布的工作流设置 permissions: id-token:none；

此外，开发者不应单纯信任 Sigstore 来源证明作为安全信号，因为攻击者在具备 GitHub Actions 执行能力后，同样能够生成有效的 Sigstore 证明用于恶意包。

安全团队通过 SHA-256 校验命令 shasum -a 256 在所有依赖树中搜索标识为 ab4fcada…… 的 router_init.js 文件，亦可用于确认是否引入恶意版本。