Zero-Day Vulnerability Alert

This page summarizes the TanStack npm supply chain compromise associated with the ongoing “Mini Shai-Hulud” campaign.

The incident involved compromised npm packages published under the `@tanstack/*` namespace, along with additional npm packages. The compromised packages reportedly included mechanisms for persistence and further supply chain propagation through malicious package publishing activity.

You can use this page to identify affected package versions and review recommended remediation actions.

For additional background and technical details, please refer to the “Snyk Blog post”.

Packages affected by zero-day vulnerabilities

Showing 30 of 172 • Page 1 of 6

- C
Embedded Malicious Code in @uipath/packager-tool-functions (npm)
Versions: 0.1.1
- C
Embedded Malicious Code in @ml-toolkit-ts/xgboost (npm)
Versions: 1.0.4, 1.0.3
- C
Embedded Malicious Code in ml-toolkit-ts (npm)
Versions: 1.0.5, 1.0.4
- C
Embedded Malicious Code in @supersurkhet/cli (npm)
Versions: 0.0.7, 0.0.6, 0.0.5, 0.0.4, 0.0.3, 0.0.2
- C
Embedded Malicious Code in @taskflow-corp/cli (npm)
Versions: 0.1.29, 0.1.28, 0.1.27, 0.1.26, 0.1.25, 0.1.24
- C
Embedded Malicious Code in safe-action (npm)
Versions: 0.8.4, 0.8.3
- C
Embedded Malicious Code in @draftlab/auth (npm)
Versions: 0.24.2, 0.24.1
- C
Embedded Malicious Code in @draftlab/auth-router (npm)
Versions: 0.5.2, 0.5.1
- C
Embedded Malicious Code in @tolka/cli (npm)
Versions: 1.0.6, 1.0.5, 1.0.4, 1.0.3, 1.0.2
- C
Embedded Malicious Code in @uipath/docsai-tool (npm)
Versions: 1.0.1
- C
Embedded Malicious Code in @uipath/context-grounding-tool (npm)
Versions: 0.1.1
- C
Embedded Malicious Code in @dirigible-ai/sdk (npm)
Versions: 0.6.3, 0.6.2
- C
Embedded Malicious Code in @tanstack/eslint-plugin-start (npm)
Versions: 0.0.4, 0.0.7
- C
Embedded Malicious Code in @tanstack/react-start-client (npm)
Versions: 1.166.51, 1.166.54
- C
Embedded Malicious Code in @tanstack/router-cli (npm)
Versions: 1.166.46, 1.166.49
- C
Embedded Malicious Code in @tanstack/router-devtools-core (npm)
Versions: 1.167.6, 1.167.9
- C
Embedded Malicious Code in @tanstack/router-ssr-query-core (npm)
Versions: 1.168.3, 1.168.6
- C
Embedded Malicious Code in @tanstack/router-vite-plugin (npm)
Versions: 1.166.53, 1.166.56
- C
Embedded Malicious Code in @tanstack/solid-start (npm)
Versions: 1.167.65, 1.167.68
- C
Embedded Malicious Code in @tanstack/start-server-core (npm)
Versions: 1.167.33, 1.167.36
- C
Embedded Malicious Code in @tanstack/valibot-adapter (npm)
Versions: 1.166.12, 1.166.15
- C
Embedded Malicious Code in @tanstack/vue-router-devtools (npm)
Versions: 1.166.16, 1.166.19
- C
Embedded Malicious Code in @tanstack/vue-router-ssr-query (npm)
Versions: 1.166.15, 1.166.18
- C
Embedded Malicious Code in @tanstack/vue-start-client (npm)
Versions: 1.166.46, 1.166.49
- C
Embedded Malicious Code in @uipath/apollo-core (npm)
Versions: 5.9.2
- C
Embedded Malicious Code in @uipath/flow-tool (npm)
Versions: 1.0.2
- C
Embedded Malicious Code in @uipath/maestro-tool (npm)
Versions: 1.0.1
- C
Embedded Malicious Code in @uipath/robot (npm)
Versions: 1.3.4
- C
Embedded Malicious Code in @uipath/integrationservice-tool (npm)
Versions: 1.0.2
- C
Embedded Malicious Code in @uipath/agent-tool (npm)
Versions: 1.0.1

Page 1 of 6