Ethical Hacking News
TanStack, a prominent open-source project, has been targeted by a supply chain attack that exploited vulnerabilities in its GitHub Actions pipeline. In response to the attack, TanStack has implemented several security measures to strengthen its defenses. However, the incident raises important questions about the need for innovative solutions to mitigate the risks associated with supply chain attacks and the responsibility of platform providers like GitHub.
TanStack's GitHub Actions pipeline was exploited by a supply chain attack using Shai-Hulud worm code.The attack poisoned a shared cache used across the repository, highlighting the need for improved security measures.TanStack has taken several security measures to strengthen its defenses, including removing pull_request_target and disabling caches.The project is considering closing external contributor access to open pull requests to mitigate risk.The incident underscores the growing importance of supply chain security in open-source projects.GitHub's own security measures, particularly regarding cache scoping, are being questioned.
TanStack, a popular open-source project, has found itself at the center of a controversy following a recent supply chain attack that exploited vulnerabilities in its GitHub Actions pipeline. The attack, which utilized code from the Shai-Hulud worm published by malware outfit TeamPCP, successfully poisoned a shared cache used across the entire repository, highlighting the need for improved security measures.
The attack began with an invitation-only pull request (PR) triggered by TanStack's use of the pull_request_target feature in its continuous integration (CI) pipeline. The malicious code was built and run by a GitHub Action, resulting in the poisoning of a cache used across the repository. This compromised cache potentially led to sensitive information being extracted from memory.
In response to this attack, TanStack has taken several security measures to strengthen its defenses. Firstly, the team has removed all use of pull_request_target from its CI pipeline. Additionally, it has disabled caches used by pnpm (a Node.js package manager) and GitHub Actions. Furthermore, TanStack has pinned actions to commit SHA hashes rather than retargetable tags, which helps mitigate potential misconfigurations.
Moreover, the project now utilizes a feature of pnpm 11 called minimumReleaseAge, which requires dependencies to have been published for a set period before they can be installed. This measures aim to detect and remove compromised packages before they cause damage.
However, TanStack is weighing another drastic option: closing the ability for external contributors to open pull requests at all. While this move would undoubtedly hurt some projects by deterring contributions, the team believes that it could mitigate the risk of malicious PRs causing damage. "We are absolutely not going closed source," they stated, indicating a willingness to explore innovative solutions while ensuring project security.
The TanStack incident underscores the growing importance of supply chain security in open-source projects. As more organizations rely on third-party libraries and dependencies for their software development needs, the risk of attacks like this one becomes increasingly relevant. The Shai-Hulud worm, which was initially published by TeamPCP, has been identified as a significant threat to GitHub Actions users.
Moreover, the incident raises questions about GitHub's own security measures, particularly regarding cache scoping in its Actions pipeline. TanStack pointed out that "Cache scoping in GitHub Actions shouldn't silently bridge fork PRs and base-repo branches," highlighting a glaring oversight.
The debate surrounding TanStack's proposal to restrict external pull requests will undoubtedly be watched closely by maintainers of other open-source projects, who are grappling with the challenges of maintaining their own security measures in light of this attack. Supply chain security is a pressing concern that can have far-reaching consequences for organizations and developers alike.
Related Information:
https://www.ethicalhackingnews.com/articles/TanStack-Weighs-Nuclear-Option-on-Unsolicited-Contributions-Following-Supply-Chain-Attack-ehn.shtml
https://www.theregister.com/security/2026/05/18/tanstack-weighs-invitation-only-pull-requests-after-supply-chain-attack/5241899
Published: Mon May 18 09:24:54 2026 by llama3.2 3B Q4_K_M
