When a Supply-Chain Attack on npm Becomes a War of Attrition: TanStack, GitHub, and Grafana

The TanStack npm supply-chain attack, delivered via the Shai-Hulud malware campaign by the threat group TeamPCP, is the kind of cascading failure that exposes how brittle the entire developer toolchain has become. What started as compromised npm packages in early May 2026 snowballed into the compromise of 3,800 GitHub internal repositories and a breach of Grafana's own codebase — two of the most consequential security incidents to hit major infrastructure providers in months.

The attack chain is methodical and well-documented. On May 19, Nx developers revealed they were investigating a malicious version of Nx Console 18.95.0 — the official VS Code extension for managing monorepos and multi-project codebases — that had been live on the Visual Studio Marketplace for approximately 18 hours. The extension carried an embedded credential-stealing module designed to harvest secrets from developer environments. But this wasn't an isolated incident; the Nx Console compromise was itself a downstream effect of TeamPCP's earlier compromise of dozens of TanStack and Mistral AI npm packages, which included malicious credential-stealing payloads.

The GitHub breach was direct: an employee installed the compromised Nx Console extension on their development machine, which executed the credential-stealing code inside their environment. This gave TeamPCP access to GitHub's internal systems. GitHub CISO Alexis Wales responded by rotating critical secrets on Monday into Tuesday, prioritizing the highest-impact credentials first. GitHub stated there was no evidence that customer data stored outside the affected repositories had been stolen, and the compromised device had been secured. However, TeamPCP claimed on the Breached forum that they had accessed approximately 4,000 private repositories and were demanding at least $50,000 in ransom.

Grafana's story is, if anything, more instructive. Their CI/CD workflow consumed one of the same compromised TanStack npm packages. The info-stealer module executed within Grafana's GitHub Actions environment, exfiltrating GitHub workflow tokens to TeamPCP. Grafana detected the malicious activity on May 1 and deployed their incident response plan, including rotating GitHub workflow tokens. Here's the critical detail: they rotated a significant number of tokens but missed one. That single unrotated token gave the attackers access to Grafana's private GitHub repositories. Grafana's official update read like a cautionary tale:

Source article image
Source image 1

"We performed analysis and quickly rotated a significant number of GitHub workflow tokens, but a missed token led to the attackers gaining access to our GitHub repositories." — Grafana

What was stolen from Grafana? Source code, operational information, and business contact names and emails. Grafana stressed that no customer production data was compromised and that their codebase was not modified — downloaded code remains safe. They confirmed they would not pay the ransom. But the fact that a single missed token rotation could undo hours of incident response work is a stark reminder: token rotation is not a silver bullet.

But the damage didn't stop there. TeamPCP used the stolen CI/CD credentials to pivot further, hitting UiPath, Guardrails AI, and OpenSearchSource article image

Source image 2
trong> — all compromised via stolen CI/CD access propagated from the initial npm compromise. This is the supply chain in a nutshell: one compromised npm package becomes a foothold, credentials are harvested, and then the attacker moves laterally through the CI/CD infrastructure of every organization that consumed those packages.

So what does this tell us about the state of software supply-chain security? First, the developer toolchain — npm → CI/CD → IDE extensions → internal repositories — is a single, highly interdependent attack surface. Compromising a handful of popular packages cascaded into infrastructure breaches across multiple major organizations. There was no "line in the sand" where the attack stopped.

Second, incident response is only as strong as its weakest process. Grafana's rapid token rotation was impressive, but a single missed token negated the entire effort. Automated rotation with verification and confirmation is not just a best practice — it's the only thing that works when human error is in the loop. The fact that Grafana caught this and was transparent about it is commendable, but the underlying lesson is that reliance on manual token auditing during a crisis is a design flaw.

Third, the npm ecosystem remains a fragile trust model. Dozens of packages across multiple organizations were hit using the same initial foothold. Open-source projects are critical infrastructure, and when popular libraries like TanStack are compromised, the blast radius is measured in thousands of downstream projects and organizations. The trust model that says "if it's on npm, it's probably fine" is simply no longer viable.

TeamPCP has been persistent across platforms — they've previously attacked PyPI, NPM, GitHub, and Docker. The Shai-Hulud campaign demonstrates methodical supply-chain infiltration across multiple ecosystems. If this is what one group with no apparent state backing can achieve, the threat landscape is far worse than most organizations realize. The question isn't whether the next supply-chain attack will happen — it's which organization will be next on the list.

Comments

Post a Comment

Popular posts from this blog

AI Is Starting to Feel Less Like a Gadget and More Like Infrastructure

Image
Modern AI doesn't replace infrastructure — it runs on top of it. (Photo: Unsplash) For a while, AI coverage had the energy of a mall demo kiosk: very shiny, slightly chaotic, and usually one prompt away from embarrassment. Lately, though, the more interesting story is less about flashy demos and more about infrastructure. A useful CNBC piece argued that AI is not simply going to vaporize enterprise software overnight, and that sounds about right. In real companies, software does not disappear just because a model can summarize a meeting or write a decent SQL query. What actually happens is messier and more practical: AI starts sneaking into the plumbing. It shows up in search, support workflows, procurement tools, analytics dashboards, and data pipelines. The real winners may not be the loudest chatbot wrappers, but the vendors that make enterprise systems easier to operate, easier to query, and slightly less soul-crushing for the humans trapped inside them. That is less cinematic ...
Read more

When Two AI Bots Finally Learned to Talk in Discord

I spent part of the day doing something that sounds like the setup for a bad joke: getting two local AI assistants to talk to each other in the same Discord channel. Not through a web UI. Not by bouncing prompts manually between windows like a human message queue. In the actual shared channel, where both could see the conversation and react to each other. The funny part is that the problem was not intelligence. It was manners. Both bots were defensive by default around bot-authored messages, which is the sensible setting if you do not want your infrastructure turning into a recursive support group. The downside is obvious: if both assistants treat other bots as suspicious background noise, they will never coordinate on anything more useful than silence. The fix was to make both sides accept bot-authored messages only when they were explicitly mentioned. That detail matters more than it sounds. Blanket bot acceptance is how you end up with two enthusiastic systems discovering each oth...
Read more

AI Coding Agents Are No Longer Toys — The Question Now Is Who's Watching Them

Image
Gartner just put GitHub in the Leader quadrant of its 2026 Magic Quadrant for Enterprise AI Coding Agents — for the third year running. That alone reads like press release fodder, but the real signal comes from what the company is actually saying about the shift. GitHub frames it as a move from "generating code" to "orchestrating outcomes": developers hand agents issues and walk away, then come back to review, steer, and approve. The company is reporting 140,000 organizations on Copilot — nearly triple from a year ago — with CLI usage doubling month over month. Meanwhile, over at ClickHouse, CTO Alexey Milovidov published a candid account of a full year running AI coding agents on a massive C++ codebase. His framing is useful because it doesn't hide the learning curve. Milovidov breaks AI-assisted coding into three levels: Level 1 is the copy-paste chat approach — still useful for exploration but obsolete compared to agents. Level 2 is agents running in your C...
Read more