TanStack Supply-Chain Attack File Creation Indicators - Windows

Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath, etc reported on early May 2026.

Sigma rule (View on GitHub)

 1title: TanStack Supply-Chain Attack File Creation Indicators - Windows
 2id: 8a3f2c1e-5d7b-4e9a-b6c8-1f2a3d4e5f6a
 3status: experimental
 4description: Detects file creation indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath, etc reported on early May 2026.
 5references:
 6    - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
 7    - https://socket.dev/supply-chain-attacks/mini-shai-hulud
 8    - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
 9author: Leonardo Gasparini
10date: 2026-05-12
11tags:
12    - attack.initial-access
13    - attack.t1195.002
14    - attack.execution
15    - attack.t1059.007
16    - attack.persistence
17    - attack.t1554
18    - detection.emerging-threats
19logsource:
20    category: file_event
21    product: windows
22detection:
23    selection_malware_files:
24        TargetFilename|endswith:
25            - '\router_init.js'
26            - '\tanstack_runner.js'
27    selection_persistence_claude_vscode:
28        TargetFilename|endswith:
29            - '\.claude\router_runtime.js'
30            - '\.vscode\router_runtime.js'
31    condition: 1 of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top