TanStack Supply-Chain Attack File Creation Indicators - Linux

Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.

Sigma rule (View on GitHub)

 1title: TanStack Supply-Chain Attack File Creation Indicators - Linux
 2id: 2b5e4d3f-7c9a-4fab-a8d1-3e6f5a7b8c9d
 3status: experimental
 4description: Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.
 5references:
 6    - https://www.netskope.com/blog/shai-hulud-style-npm-worm-hits-tanstack
 7    - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
 8    - https://socket.dev/supply-chain-attacks/mini-shai-hulud
 9    - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
10author: Leonardo Gasparini
11date: 2026-05-12
12tags:
13    - attack.initial-access
14    - attack.t1195.002
15    - attack.execution
16    - attack.t1059.007
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.t1547.004
20    - detection.emerging-threats
21logsource:
22    category: file_event
23    product: linux
24detection:
25    selection_malware_files:
26        TargetFilename|endswith:
27            - '/router_init.js'
28            - '/tanstack_runner.js'
29    selection_persistence_claude_vscode:
30        TargetFilename|endswith:
31            - '/.claude/router_runtime.js'
32            - '/.vscode/router_runtime.js'
33    selection_pypi_payload:
34        TargetFilename: '/tmp/transformers.pyz'
35    condition: 1 of selection_*
36falsepositives:
37    - Unknown
38level: medium

References

Related rules

to-top