TanStack Supply-Chain Attack File Creation Indicators - Linux
Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.
Sigma rule (View on GitHub)
1title: TanStack Supply-Chain Attack File Creation Indicators - Linux
2id: 2b5e4d3f-7c9a-4fab-a8d1-3e6f5a7b8c9d
3status: experimental
4description: Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.
5references:
6 - https://www.netskope.com/blog/shai-hulud-style-npm-worm-hits-tanstack
7 - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
8 - https://socket.dev/supply-chain-attacks/mini-shai-hulud
9 - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
10author: Leonardo Gasparini
11date: 2026-05-12
12tags:
13 - attack.initial-access
14 - attack.t1195.002
15 - attack.execution
16 - attack.t1059.007
17 - attack.persistence
18 - attack.privilege-escalation
19 - attack.t1547.004
20 - detection.emerging-threats
21logsource:
22 category: file_event
23 product: linux
24detection:
25 selection_malware_files:
26 TargetFilename|endswith:
27 - '/router_init.js'
28 - '/tanstack_runner.js'
29 selection_persistence_claude_vscode:
30 TargetFilename|endswith:
31 - '/.claude/router_runtime.js'
32 - '/.vscode/router_runtime.js'
33 selection_pypi_payload:
34 TargetFilename: '/tmp/transformers.pyz'
35 condition: 1 of selection_*
36falsepositives:
37 - Unknown
38level: medium
References
Related rules
- TanStack Supply-Chain Attack File Creation Indicators - Windows
- LiteLLM / TeamPCP Supply Chain Attack Indicators
- TeamPCP LiteLLM Supply Chain Attack Persistence Indicators
- APT27 - Emissary Panda Activity
- AWS IAM S3Browser LoginProfile Creation