Marky avatar

Tan Stack Scanner

themarkymark

Published: 12 May 2026 › Updated: 12 May 2026Tan Stack Scanner

Tan Stack Scanner

image.png

If you heard of the shai hulud exploit, you know how serious this is. Another supply chain attack hit and this one is rough. If attacked, this malware will target claude and VS Code to burrow in so even if you remove it, it still will stay resident. This worm initially went after npm models, it was later found to spread to Python modules on PyPi as well.

I made an open source scanner that detects traces of this worm so you can easily remove it from your system.

https://github.com/officiallymarky/tanstackscanner

What it checks

  • Known IOC filenames:
    • router_init.js
    • router_runtime.js
    • tanstack_runner.js
    • gh-token-monitor.sh
    • setup.mjs
  • Known malicious SHA-256 hash:
    • ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
  • Suspicious dependency strings in manifests and lockfiles:
    • @tanstack/setup
    • github:tanstack/router
    • 79ac49eedf774dd4b0cfa308722bc463cfe5885c
  • User-level persistence artifacts for gh-token-monitor
  • Running processes matching known IOC names

This attack was initially discovered with this Github comment.

image.png

https://github.com/TanStack/router/issues/7383#issuecomment-4425225340

These attacks are becoming more and more common with AI being available to everyone and the flood of vibe coded apps. While there is no way to protect against these attacks, you can minimize them by using tools like safe-npm to only install packages that are 90 days old. This typically gives it enough time to discover compromised packages but it isn't 100% fail proof.

Leave Tan Stack Scanner to:

Written by

Browncoat | Meme Connoisseur | Bitcoin Evangelist | Dev | Gamer | Technical Samurai | AI Nerd | Hive Witness | Black Belt in Dad Jokes

Read more #security posts


Best Posts From Marky

We have not curated any of themarkymark's posts yet. But you can encourage our curation team to review posts by visiting them regularly and by referring other readers. Because we give priority to frequently read content.

More Posts From Marky