TanStack Supply-Chain Attack Execution Indicators - Windows
Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath reported on early May 2026.
Sigma rule (View on GitHub)
1title: TanStack Supply-Chain Attack Execution Indicators - Windows
2id: 9b4f3d2e-6e8c-5fab-c7d9-2a3b4e5f6a7b
3status: experimental
4description: Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath reported on early May 2026.
5references:
6 - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
7 - https://socket.dev/supply-chain-attacks/mini-shai-hulud
8 - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
9author: Leonardo Gasparini
10date: 2026-05-12
11tags:
12 - attack.execution
13 - attack.t1059.007
14 - attack.t1204.002
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\bun.exe'
22 CommandLine|contains|all:
23 - 'run'
24 - 'tanstack_runner.js'
25 condition: selection
26falsepositives:
27 - Unlikely
28level: high
References
Related rules
- TanStack Supply-Chain Attack Execution Indicators - Linux
- TanStack Supply-Chain Attack File Creation Indicators - Linux
- TanStack Supply-Chain Attack File Creation Indicators - Windows
- AppLocker Application Would Have Been Blocked
- Kapeka Backdoor Loaded Via Rundll32.EXE