Someone published four versions of a fake "tanstack" package in 27 minutes to steal your .env files

April 29, 2026

A highly aggressive, rapid typosquatting campaign targeted frontend development teams by publishing four distinct malicious versions of a fraudulent "tanstack" package in a span of just 27 minutes. The threat actors timed this release to catch developers making minor typos during package installations. The malicious packages utilize a highly invasive postinstall script hook that activates automatically upon package resolution. Once execution begins, the malware explicitly targets the local project structure, locating and parsing all .env environmental files. These configuration files typically house high-value corporate assets, including third-party API keys, database connection strings, and administrative passwords, which the script immediately bundles and exfiltrates via an unencrypted web request to an external server.Remediation requires frontend teams to immediately check their project manifests (package.json) and active lockfiles to verify that only the official, correctly spelled @tanstack libraries are present. Any environment that unknowingly pulled the typosquatted package must instantly revoke and rotate all variables, database passwords, and API credentials contained within their .env files. Organizations should configure internal npm registries to explicitly block unverified public packages that closely match popular open-source library names.If you need expert assistance in identifying compromised packages, securing your CI/CD pipelines, or conducting an emergency supply chain audit, contact Cyberlinx today to protect your development environment.

Table of Contents
Resource Type
Threat Intel
Category
DevSecOps
Written by
Cyberlinx Research Team
Offensive Security Research Team
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?