TanStack Supply-Chain Attack Execution Indicators - Windows

Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath reported on early May 2026.

Sigma rule (View on GitHub)

 1title: TanStack Supply-Chain Attack Execution Indicators - Windows
 2id: 9b4f3d2e-6e8c-5fab-c7d9-2a3b4e5f6a7b
 3status: experimental
 4description: Detects process execution indicators associated with the Mini Shai-Hulud supply-chain campaign targeting TanStack npm packages and others such as mistralai, uipath reported on early May 2026.
 5references:
 6    - https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
 7    - https://socket.dev/supply-chain-attacks/mini-shai-hulud
 8    - https://safedep.io/mass-npm-supply-chain-attack-tanstack-mistral/
 9author: Leonardo Gasparini
10date: 2026-05-12
11tags:
12    - attack.execution
13    - attack.t1059.007
14    - attack.t1204.002
15    - detection.emerging-threats
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\bun.exe'
22        CommandLine|contains|all:
23            - 'run'
24            - 'tanstack_runner.js'
25    condition: selection
26falsepositives:
27    - Unlikely
28level: high

References

Related rules

to-top