The xz/xz-utils Supply Chain Attack: How a Single PR Hijacked NPM

TechA single PR just hijacked the NPM registry...

Key Takeaways

1An attacker exploited GitHub Actions' pull_request_target trigger to execute malicious code in Tanstack's CI environment with full repository permissions, despite the PR being from a fork
2The malware extracted npm publish tokens from the CI cache and compromised 84 Tanstack packages, then spread to 169+ packages across npm and PyPI by stealing tokens from infected maintainers
3Infected machines received a 'dead man switch' that would nuke the root directory if a stolen GitHub token expired, and the worm persisted by embedding itself in VS Code and Claude Code
4pnpm 1+ includes three protective features by default: minimum release age (24-hour delay), block exotic subdependencies (registry-only enforcement), and approved builds (script whitelisting)
5The attack avoided detection by forging commits with the Claude Code GitHub app signature, making malicious activity appear as legitimate AI-generated code

Chapters

1. The Attack Setup

An attacker forked the Tanstack repository, created a pull request that was immediately closed, triggering the GitHub Actions publishing workflow. The workflow was configured with pull_request_target, allowing the fork's code to execute with the main repository's permissions.

2. Token Theft and Initial Compromise

The attacker wrote a poisoned file to the shared CI cache. When an unrelated PR merged hours later, the poisoned file extracted the npm publish token and compromised 84 new Tanstack packages in minutes.

3. Worm Propagation Across Ecosystems

Infected packages stole npm tokens from maintainers at Mistral AI, UiPath, Open Search, Guardrails AI, and Squawk. The malware spread to 169 packages across npm and jumped to PyPI through Python SDKs.

4. Persistence and Evasion Mechanisms

The worm forged commits using Claude Code signatures to blend in with legitimate AI-generated commits, embedded itself in VS Code and Claude Code to survive package uninstalls, and installed a dead man switch that would nuke the root directory if stolen tokens expired.

5. Defensive Strategies with pnpm

pnpm 1+ offers three default protections: minimum release age (24-hour delay before installing packages), block exotic subdependencies (registry-only enforcement), and approved builds (automatic script blocking with manual whitelisting).

Glossary

pull_request_target: A GitHub Actions trigger that runs workflows in the context of the target repository with its permissions, even when the PR originates from a fork
Supply chain attack: A cyberattack targeting the development, build, or distribution pipeline of software to compromise multiple downstream users
npm publish token: A credential that authorizes publishing packages to the npm registry; typically short-lived in CI environments
Dead man switch: An automated mechanism that triggers destructive action (e.g., file deletion) if a specified condition is met or not met within a timeframe
Transitive dependency: A package that is required by a direct dependency, creating a chain of dependencies
Install script: Arbitrary code that executes automatically when a package is installed via npm; a common vector for malware distribution
Minimum release age: A security feature that refuses to install packages published less than a specified time period ago, allowing time for malicious packages to be detected and removed
Block exotic subdependencies: A security feature that restricts dependencies to only those from official package registries, blocking dependencies from git repos or custom URLs

Explore