TanStack Supply-Chain Attack Execution Indicators - Linux

Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026. The preinstall hook runs setup.mjs, which downloads a platform-specific Bun runtime.

Sigma rule (View on GitHub)

 1title: TanStack Supply-Chain Attack Execution Indicators - Linux
 2id: 3c6f5e4a-8d0b-6abc-d9e2-4f7a6b8c9d0e
 3status: experimental
 4description: |
 5    Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai and uipath reported on early May 2026.
 6    The preinstall hook runs setup.mjs, which downloads a platform-specific Bun runtime.    
 7references:
 8    - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
 9    - https://socket.dev/supply-chain-attacks/mini-shai-hulud
10    - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
11author: Leonardo Gasparini
12date: 2026-05-12
13tags:
14    - attack.execution
15    - attack.t1059.007
16    - attack.t1059.006
17    - attack.t1204.002
18    - detection.emerging-threats
19logsource:
20    category: process_creation
21    product: linux
22detection:
23    selection_bun_runner:
24        Image|endswith: '/bun'
25        CommandLine|contains|all:
26            - 'bun'
27            - 'run'
28            - 'tanstack_runner.js'
29    selection_pypi_payload:
30        # observed on guardrails-ai@0.10.1 compromise
31        Image|contains: '/python3'
32        CommandLine|contains: '/tmp/transformers.pyz'
33    condition: 1 of selection_*
34falsepositives:
35    - Unlikely
36level: high

References

Related rules

to-top