TanStack and 160+ npm/PyPI Packages Hit in Self-Spreading Supply Chain Worm Attack

A sophisticated supply chain attack has compromised TanStack and over 160 packages across the npm and PyPI ecosystems, security researchers at Orca Security report. The attack, characterized as a self-propagating worm, represents a significant escalation in software supply chain threats, targeting widely-used developer tools and libraries that form foundational components of numerous production applications.

The campaign leveraged compromised maintainer accounts and tampered package versions to inject malicious code that could spread automatically through dependency chains. TanStack, a popular suite of UI and state management libraries for React and other frameworks, was among the most prominent victims, raising concerns about downstream exposure across the developer community. The scale—affecting both JavaScript's npm and Python's PyPI registries simultaneously—suggests deliberate coordination and reconnaissance of high-value targets.

Security teams are urged to audit dependency trees immediately, verify package integrity hashes, and review recent installations from both registries. The incident underscores growing risks in open-source package ecosystems, where trust in maintainer accounts and automated build pipelines has become a primary attack surface. Orca Security's full technical analysis is available in their published research.