Security Incident [Remediated]: npm supply-chain compromise of @squawk/* packages on 2026-05-11

[neilcochran]

Incident Summary

On 2026-05-11, the mini-Shai-Hulud npm supply-chain worm published 110 malicious versions across all 22 @squawk/* packages on the npm registry during a 95-minute window (22:17-23:52 UTC). The worm gained access via a compromised upstream dependency (@tanstack/router-cli and @tanstack/router-plugin) that was pulled into CI through a routine Dependabot PR.

The malicious versions are no longer installable. GitHub Trust and Safety removed all 110 malicious tarballs from the registry. The latest dist-tag on every @squawk/* package now points at a pre-incident clean version. Any new npm install @squawk/<anything> is safe.

This post documents the incident in full so anyone arriving at squawk through public incident coverage can verify the project's response.

What happened

The upstream @tanstack/* packages were compromised earlier on 2026-05-11 (see TanStack/router#7383). The compromised versions added a hidden @tanstack/setup optionalDependency pointing at an orphan git commit; npm fetched it as a tarball and ran a credential-stealing prepare script during install.

A Dependabot PR for a routine dev-dependency group bump pulled in the compromised @tanstack/router-cli@1.166.49 and @tanstack/router-plugin@1.167.41. After review and merge to main, the publish workflow ran npm ci with NPM_TOKEN in scope. The malicious prepare script exfiltrated the token and used it to publish 5 malicious versions of every package the token had access to, including all 22 @squawk/* packages.

The stolen token also had access to three of my unrelated personal npm packages (cross-stitch, ts-dna, wot-api). Those were hit in the same window and have been remediated separately. None of them use @tanstack/*; they were collateral damage from a single overly broad classic npm token.

Timeline (UTC)

Time	Event
2026-05-11 22:12	PR #246 (Dependabot dev-dependencies group bump) merged to main. CI runs on main with compromised @tanstack/* installed
2026-05-11 22:17	First malicious publish: @squawk/mcp@0.9.1. The worm enumerates every package the stolen token can publish to and begins mass-publishing
2026-05-11 23:52	Last malicious publish: @squawk/mcp@0.9.5. 110 malicious versions across 22 @squawk/* packages live on the registry, with latest pointing at malicious code on every package
2026-05-12 00:04	I detect the publishes via notifications, revoke NPM_TOKEN at npm.com, disable GitHub Actions on this repo, remove all repo secrets and variables, rotate the GitHub App private key used by the release workflow, and revoke all Personal Access Tokens
2026-05-12 01:14	npm flags my account and locks it. I email GitHub Security directly with the affected package list, version ranges, and ownership evidence
2026-05-12 01:17	PR #248 is merged to main, reverting PR #246. Repo source state returns to a known-clean lockfile and package.json. The @tanstack/* pause is added to .github/dependabot.yml in the same change
2026-05-12 03:37-03:41	GitHub Trust and Safety remove the 110 malicious @squawk/* versions from the registry and reset latest dist-tags. They also clean up cross-stitch and ts-dna in the same pass
2026-05-12 15:43	GitHub Trust and Safety confirm cleanup is complete and reactivate npm account access
Later same day	Full audit of the repo, npm registry state, and GitHub account state. I discovered GitHub Trust and Safety missed wot-api (an unrelated 2022 package) during cleanup. I unpublish those 5 malicious versions directly once my account access was restored

Affected versions

Every @squawk/* package received 5 malicious patch publishes during the worm window. The "Last clean" column is what latest currently points to and is safe to install.

Package	Last clean	Malicious window
@squawk/airport-data	0.7.3	0.7.4 - 0.7.8
@squawk/airports	0.6.1	0.6.2 - 0.6.6
@squawk/airspace	0.8.0	0.8.1 - 0.8.5
@squawk/airspace-data	0.5.2	0.5.3 - 0.5.7
@squawk/airway-data	0.5.3	0.5.4 - 0.5.8
@squawk/airways	0.4.1	0.4.2 - 0.4.6
@squawk/fix-data	0.6.3	0.6.4 - 0.6.8
@squawk/fixes	0.3.1	0.3.2 - 0.3.6
@squawk/flight-math	0.5.3	0.5.4 - 0.5.8
@squawk/flightplan	0.5.1	0.5.2 - 0.5.6
@squawk/geo	0.4.3	0.4.4 - 0.4.8
@squawk/icao-registry	0.5.1	0.5.2 - 0.5.6
@squawk/icao-registry-data	0.8.3	0.8.4 - 0.8.8
@squawk/mcp	0.9.0	0.9.1 - 0.9.5
@squawk/navaid-data	0.6.3	0.6.4 - 0.6.8
@squawk/navaids	0.4.1	0.4.2 - 0.4.6
@squawk/notams	0.3.5	0.3.6 - 0.3.10
@squawk/procedure-data	0.7.2	0.7.3 - 0.7.7
@squawk/procedures	0.5.1	0.5.2 - 0.5.6
@squawk/types	0.8.0	0.8.1 - 0.8.5
@squawk/units	0.4.2	0.4.3 - 0.4.7
@squawk/weather	0.5.5	0.5.6 - 0.5.10

Every malicious version was published between 2026-05-11 22:17 and 2026-05-11 23:52 UTC. Any @squawk/* version published in that window should be treated as malicious.

Are you affected?

You are affected only if you ran npm install (or equivalent) for any @squawk/* package between 2026-05-11 22:17 UTC and approximately 2026-05-12 04:00 UTC when Trust and Safety completed the registry cleanup.

If you may have been affected:

1. Delete node_modules and any cached @squawk/* tarballs in your npm cache.
2. Audit your shell history, environment variables, and any tokens that were in scope during the install. The worm's payload exfiltrates credentials during install via lifecycle scripts.
3. Rotate any npm tokens, GitHub PATs, and SSH/GPG keys present on the affected machine.
4. Reinstall using npm install @squawk/<package>@<version> pinning to a "Last clean" version from the table above.

If you did not install @squawk/* packages during the worm window, no action is needed. Current installs of @latest are safe.

What I did

• Revoked the compromised NPM_TOKEN at npm.com within minutes of detection.
• Disabled GitHub Actions on this repo to block any further automated runs.
• Removed all GitHub repo secrets.
• Rotated the GitHub App private key used by the release workflow.
• Revoked all Personal Access Tokens on the GitHub account.
• Confirmed no SSH or GPG keys are configured on the account.
• Enabled passkey-based 2FA on the npm account.
• Reverted the malicious dependency bump (PR Revert PR #246 to remove compromised @tanstack/* devDeps #248).
• Paused @tanstack/* updates in .github/dependabot.yml until upstream remediation is confirmed.
• Audited the repo for worm artifacts. No injected workflow files, no bundle.js or other payloads, no @tanstack/setup references in the lockfile, no unexpected branches or commits, no malicious public repos created on the account, no unfamiliar webhooks, deploy keys, or collaborators.
• Audited every @squawk/* package on npm and confirmed latest dist-tags resolve to pre-incident clean versions across all 22 packages.

Status

• All malicious @squawk/* versions: removed from the registry.
• latest dist-tags: pointing at pre-incident clean versions for every package.
• Repo source state on main: clean. Revert and @tanstack/* pause both merged.
• Publish pipeline: temporarily disabled until new tokens/secrets are created

The @squawk/* package code on the registry today is exactly what it was on 2026-05-11 before the worm ran. No source changes from the incident remain in any published version.

References

• TanStack incident tracking: TanStack/router#7383
• TanStack postmortem: tanstack.com/blog/npm-supply-chain-compromise-postmortem
• This repo's security policy: SECURITY.md

For security concerns relating to @squawk/* packages, please follow the disclosure flow in SECURITY.md.

---

"Walk without rhythm, and it won't attract the worm." - Fremen survival rule, Frank Herbert's Dune