TanStack Supply-Chain Attack DNS Indicators
Detects DNS queries to attacker-controlled infrastructure used by the Mini Shai-Hulud campaign targeting TanStack npm packages along with other packages such as mistralai, uipath and so on. The domain git-tanstack.com (registered May 9, 2026) hosted secondary payloads including transformers.pyz. The filev2.getsession.org endpoint was used for credential exfiltration via the Session protocol.
Sigma rule (View on GitHub)
1title: TanStack Supply-Chain Attack DNS Indicators
2id: ac5a4e3f-7f9d-6abc-d8ea-3b4c5f6a7b8c
3status: experimental
4description: |
5 Detects DNS queries to attacker-controlled infrastructure used by the Mini Shai-Hulud campaign targeting TanStack npm packages along with other packages such as mistralai, uipath and so on.
6 The domain git-tanstack.com (registered May 9, 2026) hosted secondary payloads including transformers.pyz.
7 The filev2.getsession.org endpoint was used for credential exfiltration via the Session protocol.
8references:
9 - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
10 - https://socket.dev/supply-chain-attacks/mini-shai-hulud
11 - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
12author: Leonardo Gasparini
13date: 2026-05-12
14tags:
15 - attack.command-and-control
16 - attack.t1071.001
17 - attack.exfiltration
18 - attack.t1048
19 - detection.emerging-threats
20logsource:
21 category: dns_query
22 product: windows
23detection:
24 selection_attacker_apex:
25 QueryName: 'git-tanstack.com'
26 selection_session_exfil:
27 QueryName: 'filev2.getsession.org'
28 condition: 1 of selection_*
29falsepositives:
30 - Unknown
31level: medium
References
Related rules
- APT40 Dropbox Tool User Agent
- ComRAT Network Communication
- Axios NPM Compromise Malicious C2 Domain DNS Query
- Equation Group C2 Communication
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution