Tan Stack Scanner

If you heard of the shai hulud exploit, you know how serious this is. Another supply chain attack hit and this one is rough. If attacked, this malware will target claude and VS Code to burrow in so even if you remove it, it still will stay resident. This worm initially went after npm models, it was later found to spread to Python modules on PyPi as well.

I made an open source scanner that detects traces of this worm so you can easily remove it from your system.

https://github.com/officiallymarky/tanstackscanner

What it checks

• Known IOC filenames:
  • router_init.js
  • router_runtime.js
  • tanstack_runner.js
  • gh-token-monitor.sh
  • setup.mjs
• Known malicious SHA-256 hash:
  • ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
• Suspicious dependency strings in manifests and lockfiles:
  • @tanstack/setup
  • github:tanstack/router
  • 79ac49eedf774dd4b0cfa308722bc463cfe5885c
• User-level persistence artifacts for gh-token-monitor
• Running processes matching known IOC names

This attack was initially discovered with this Github comment.

https://github.com/TanStack/router/issues/7383#issuecomment-4425225340

These attacks are becoming more and more common with AI being available to everyone and the flood of vibe coded apps. While there is no way to protect against these attacks, you can minimize them by using tools like safe-npm to only install packages that are 90 days old. This typically gives it enough time to discover compromised packages but it isn't 100% fail proof.