TanStack Supply-Chain Attack Execution Indicators - Linux
Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026. The preinstall hook runs setup.mjs, which downloads a platform-specific Bun runtime.
Sigma rule (View on GitHub)
1title: TanStack Supply-Chain Attack Execution Indicators - Linux
2id: 3c6f5e4a-8d0b-6abc-d9e2-4f7a6b8c9d0e
3status: experimental
4description: |
5 Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.
6 The preinstall hook runs setup.mjs, which downloads a platform-specific Bun runtime.
7references:
8 - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
9 - https://socket.dev/supply-chain-attacks/mini-shai-hulud
10 - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
11author: Leonardo Gasparini
12date: 2026-05-12
13tags:
14 - attack.execution
15 - attack.t1059.007
16 - attack.t1059.006
17 - attack.t1204.002
18 - detection.emerging-threats
19logsource:
20 category: process_creation
21 product: linux
22detection:
23 selection_bun_runner:
24 Image|endswith: '/bun'
25 CommandLine|contains|all:
26 - 'bun'
27 - 'run'
28 - 'tanstack_runner.js'
29 selection_pypi_payload:
30 # observed on guardrails-ai@0.10.1 compromise
31 Image|contains: '/python3'
32 CommandLine|contains: '/tmp/transformers.pyz'
33 condition: 1 of selection_*
34falsepositives:
35 - Unlikely
36level: high
References
Related rules
- TanStack Supply-Chain Attack Execution Indicators - Windows
- AppLocker Application Would Have Been Blocked
- AppLocker Prevented Application or Script from Running
- TanStack Supply-Chain Attack File Creation Indicators - Linux
- TanStack Supply-Chain Attack File Creation Indicators - Windows