TanStack Supply-Chain Attack File Creation Indicators - Windows
Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath, etc reported on early May 2026.
Sigma rule (View on GitHub)
1title: TanStack Supply-Chain Attack File Creation Indicators - Windows
2id: 8a3f2c1e-5d7b-4e9a-b6c8-1f2a3d4e5f6a
3status: experimental
4description: Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath, etc reported on early May 2026.
5references:
6 - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
7 - https://socket.dev/supply-chain-attacks/mini-shai-hulud
8 - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
9author: Leonardo Gasparini
10date: 2026-05-12
11tags:
12 - attack.initial-access
13 - attack.t1195.002
14 - attack.execution
15 - attack.t1059.007
16 - attack.persistence
17 - attack.t1554
18 - detection.emerging-threats
19logsource:
20 category: file_event
21 product: windows
22detection:
23 selection_malware_files:
24 TargetFilename|endswith:
25 - '\router_init.js'
26 - '\tanstack_runner.js'
27 selection_persistence_claude_vscode:
28 TargetFilename|endswith:
29 - '\.claude\router_runtime.js'
30 - '\.vscode\router_runtime.js'
31 condition: 1 of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- TanStack Supply-Chain Attack File Creation Indicators - Linux
- Axios NPM Compromise Indicators - Linux
- Axios NPM Compromise Indicators - Windows
- Axios NPM Compromise Indicators - macOS
- LiteLLM / TeamPCP Supply Chain Attack Indicators