How to Check and Mitigate the Mini Shai-Hulud Supply Chain Attack on TanStack and Mistral npm Packages

Introduction

The Mini Shai-Hulud supply chain attack has compromised several npm packages for the TanStack web development tools. Packages from Mistral were also affected. If you use any of these packages in your project, you need to act quickly to assess if your dependency tree includes malicious code. This guide provides a step-by-step process to detect compromised packages, verify file integrity, and mitigate risks.

What You Need

• Node.js and npm installed on your development machine or CI server
• Terminal access with shell commands (shasum, grep, find)
• Your project’s dependency tree (can be generated via npm ls)
• List of affected package names and versions (from official advisories, e.g., Socket report)
• Backup of current lockfile (package-lock.json or yarn.lock) before making changes
• Access to official package repositories for reinstallation

Step-by-Step Guide to Detect and Mitigate

Step 1: Identify Affected Packages in Your Project

First, determine which TanStack or Mistral packages you depend on. Run the following command in your project root to list all direct and transitive dependencies:

npm ls --depth=0

Look for packages with names containing tanstack, @tanstack, mistral, or @mistralai. Note the version numbers. Cross-reference with the official advisory from Socket or the TanStack team for the list of compromised versions.

Tip: Use npm ls | grep -E 'tanstack|mistral' to filter quickly.

Step 2: Check for Suspicious Files (router_init.js)

The attack planted malicious code in a file named router_init.js. Even if your version is not in the known compromised list, run a hash check on all instances of this file in your node_modules folder.

1. Find all router_init.js files:
   find node_modules -name 'router_init.js'
2. Generate SHA-256 hash for each file:
   for f in $(find node_modules -name 'router_init.js'); do echo $f: $(shasum -a 256 $f); done
3. Compare the returned hashes against the known bad hashes from the advisory. If any match, the package is compromised.

Step 3: Verify Other Indicators of Compromise

Malicious packages may also exhibit:

• Suspicious scripts in the install or postinstall hooks
• Modified main entry points that decode payloads
• Unexpected network calls in source code
• Changed timestamps or file sizes

Run npm audit to detect known vulnerabilities, but note that this attack may not be flagged by default unless the CVE is published.

Step 4: Quarantine or Remove Compromised Packages

If you find any compromised packages, immediately:

1. Prevent execution of any malicious code: Delete the entire node_modules folder: rm -rf node_modules
2. Update your package.json to pin affected dependencies to a safe version (see official patch notes).
3. Clear npm cache: npm cache clean --force
4. Reinstall dependencies from trusted sources: npm install

Warning: Do not run any scripts during install. Use npm install --ignore-scripts until you are sure the clean versions are safe.

Step 5: Notify Your Team and Monitor

Inform your development team, security team, and anyone using the same dependency tree. Record the incident and steps taken. Set up monitoring for future supply chain attacks:

• Use package lockfiles and commit them to version control.
• Run regular `npm audit` and `shasum` checks in CI pipelines.
• Subscribe to security advisories for your dependencies.

Tips for Prevention and Future Safety

• Prefer locked dependencies: Always commit your lockfile to ensure reproducible builds and easier detection of changes.
• Use dependency scanning tools: Integrate tools like Socket, Snyk, or npm audit into your workflow.
• Reduce transitive dependency risk: Minimize the number of dependencies, especially of packages with low maintenance or large attack surfaces.
• Verify package integrity: After each install, run a custom script that checks hashes of critical files (like router_init.js) against a known-good manifest.
• Enable two-fa on npm accounts: This reduces the chance of attackers publishing malicious versions under legitimate maintainer names.
• Keep dependencies up to date: Patch quickly when security updates are released, but verify updates before deploying.

Remember: The Mini Shai-Hulud attack specifically targeted TanStack and Mistral packages, but supply chain attacks can affect any library. Stay vigilant and always verify your dependencies.