Two npm supply chain attacks hit the same week. One was predictable. One wasn't. That's the point.
May 2026 gave us two back-to-back supply chain attacks on npm. Same week. Completely different mechanics. And that tells you more about the state of supply chain security than any whitepaper.
May 11: TanStack — 42 packages, 84 malicious versions in 6 minutes. @tanstack/react-router alone gets 16.9 million weekly downloads.
May 14: node-ipc — 3 malicious versions. 730K weekly downloads. Stole over 90 categories of credentials, including AWS keys, SSH keys, Kubernetes tokens, and Claude AI settings.
I ran both through getcommit.dev — a behavioral scoring tool I built that measures structural risk signals in npm, PyPI, Cargo, and Go packages.
TanStack scored 91. node-ipc scored 69 with a WARN flag.
The 69 was there before the attack.
What happened at node-ipc
node-ipc is a 12-year-old inter-process communication library. One npm publisher. 35 GitHub contributors who can't publish to npm. Last legitimate release: August 2024 — 21 months of silence.
On May 14, someone published three malicious versions simultaneously across two major version lines (9.x and 12.x). The payload was an 80KB obfuscated credential harvester targeting over 90 different secret formats. The compromised npm account had been dormant long enough to steal without anyone noticing.
The behavioral data before the attack:
| Signal | Score | What it means |
|---|---|---|
| Longevity | 25/25 | 12.2 years. Established. |
| Maintainer depth | 4/15 | 1 npm publisher. Single point of failure. |
| Release consistency | 12/20 | 646 days since last publish. Dormant. |
| Trusted Publishing | 0/2 | No OIDC provenance. No cryptographic link between source and release. |
| Total | 69 | WARN |
A sole publisher. A dormant release cycle. No provenance. Every signal was pointing at the risk. This is the pattern behind the LiteLLM attack (March 2026) and the axios incident (March 30, 2026): steal the credentials of a single person who hasn't published in months, and 730,000 weekly consumers get the payload.
What happened at TanStack
TanStack was different. Five npm publishers. Active development — the last publish was 3 days before the attack. Score: 91. HEALTHY by every behavioral metric.
The attacker didn't steal anyone's npm credentials. They exploited a chain of three vulnerabilities in TanStack's GitHub Actions setup:
-
pull_request_targetin a workflow, which lets fork code run with base repo permissions - GitHub Actions cache poisoning across the fork → base trust boundary
- Memory extraction of the OIDC token from the GitHub Actions runner process (reading
/procat runtime)
The malware published 84 versions across 42 packages in six minutes. It passed SLSA provenance checks. It carried valid signed certificates. Every automated security tool looking at cryptographic proof of origin said \"this is legitimate.\"
OpenAI published a response because TanStack was in their dependency tree. Detection took 20 minutes. Cleanup took hours. But the attack bypassed the exact mechanism — provenance attestation — that was supposed to make CI/CD-origin attacks impossible.
What the scores actually tell you
Two attacks. Two completely different risk profiles:
| node-ipc | TanStack | |
|---|---|---|
| Score | 69 (WARN) | 91 (HEALTHY) |
| Publishers | 1 | 5 |
| Last publish | 21 months ago | 3 days ago |
| Provenance | No | Yes |
| Attack vector | Stolen npm credentials | CI/CD pipeline compromise |
| Predictable? | Yes | No |
Behavioral signals caught the node-ipc pattern. They didn't catch TanStack's. SLSA provenance was supposed to catch TanStack's. It didn't.
No single tool catches both. That's not a failure — it's the reality. Different attacks exploit different trust boundaries.
Which pattern is more common
The node-ipc pattern is far more common than the TanStack pattern. The GitHub Actions cache-poisoning chain is sophisticated — it required chaining three separate vulnerabilities. Stealing a dormant npm account's credentials requires buying them on a dark web marketplace.
There are 26 npm packages with over 10 million weekly downloads and a single npm publisher. Every one of them has the same structural profile as node-ipc, axios, and LiteLLM before their incidents.
minimatch — 610M/wk, 1 publisher ⚑ CRITICAL
chalk — 436M/wk, 1 publisher ⚑ CRITICAL
glob — 355M/wk, 1 publisher ⚑ CRITICAL
cross-spawn — 168M/wk, 1 publisher ⚑ CRITICAL
zod — 145M/wk, 1 publisher ⚑ CRITICAL
These won't appear in your package.json. They're in your lock file — transitive dependencies you've never audited, installed on every npm install.
Check your own project
npx proof-of-commitment --file package-lock.json
This scans your full dependency tree — direct and transitive — and flags the structural risks that npm audit doesn't look at.
It won't predict the next TanStack. But it'll surface every node-ipc-shaped package in your tree. And right now, that's the pattern that keeps repeating.
Try it on any package: getcommit.dev/npm/node-ipc
getcommit.dev — behavioral supply chain scoring for npm, PyPI, Cargo, and Go. Open source on GitHub.
Top comments (0)