TanStack Supply-Chain Attack DNS Indicators

Detects DNS queries to attacker-controlled infrastructure used by the Mini Shai-Hulud campaign targeting TanStack npm packages along with other packages such as mistralai, uipath and so on. The domain git-tanstack.com (registered May 9, 2026) hosted secondary payloads including transformers.pyz. The filev2.getsession.org endpoint was used for credential exfiltration via the Session protocol.

Sigma rule (View on GitHub)

 1title: TanStack Supply-Chain Attack DNS Indicators
 2id: ac5a4e3f-7f9d-6abc-d8ea-3b4c5f6a7b8c
 3status: experimental
 4description: |
 5    Detects DNS queries to attacker-controlled infrastructure used by the Mini Shai-Hulud campaign targeting TanStack npm packages along with other packages such as mistralai, uipath and so on.
 6    The domain git-tanstack.com (registered May 9, 2026) hosted secondary payloads including transformers.pyz.
 7    The filev2.getsession.org endpoint was used for credential exfiltration via the Session protocol.    
 8references:
 9    - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
10    - https://socket.dev/supply-chain-attacks/mini-shai-hulud
11    - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
12author: Leonardo Gasparini
13date: 2026-05-12
14tags:
15    - attack.command-and-control
16    - attack.t1071.001
17    - attack.exfiltration
18    - attack.t1048
19    - detection.emerging-threats
20logsource:
21    category: dns_query
22    product: windows
23detection:
24    selection_attacker_apex:
25        QueryName: 'git-tanstack.com'
26    selection_session_exfil:
27        QueryName: 'filev2.getsession.org'
28    condition: 1 of selection_*
29falsepositives:
30    - Unknown
31level: medium

References

Related rules

to-top