TanStack and node-ipc Attacks: What They Mean for NIS2 and DORA Supply Chain Compliance

Introduction: A New Wave of Software Supply Chain Attacks

In early 2025, two high-profile software supply chain attacks sent shockwaves through the developer community. The TanStack breach, part of the 'Mini Shai-Hulud' campaign by the TeamPCP extortion gang, compromised OpenAI employee devices and exposed code signing certificates. Meanwhile, the node-ipc attack injected credential-stealing malware into three malicious npm versions, targeting cloud and CI/CD secrets. Both incidents exploited vulnerabilities in open-source ecosystems and CI/CD pipelines — exactly the kind of risks that the EU's NIS2 Directive and Digital Operational Resilience Act (DORA) aim to mitigate.

For compliance officers and security leaders, these attacks are a wake-up call. They demonstrate how attackers bypass traditional controls by compromising maintainer accounts and abusing trusted release processes. This article dissects both attacks, connects them to NIS2 and DORA supply chain provisions, and provides actionable steps — including using AIGovHub's CCM module for continuous controls monitoring and SENTINEL for geopolitical and supply chain risk intelligence — to strengthen your software supply chain security posture.

Anatomy of the Attacks: How They Bypassed Existing Controls

Both attacks share a common modus operandi: compromising the software supply chain at the dependency level, where trust is assumed and visibility is low.

The node-ipc Attack: Credential Theft via DNS Exfiltration

The node-ipc package, a widely used npm library for inter-process communication, had three malicious versions published (9.1.6, 9.2.3, and 12.0.1). The attacker likely compromised an inactive maintainer account (atiertant) and pushed code that, at runtime, stole cloud credentials, SSH keys, Kubernetes and Docker tokens, npm and GitHub tokens, and .env files. The stolen data was exfiltrated via DNS TXT queries to a fake Azure domain, blending into normal traffic and avoiding HTTP-based command-and-control (C2) detection.

Key evasion techniques included:

• No persistence: The malware deleted its archives after exfiltration, leaving minimal forensic traces.
• DNS tunneling: Using DNS queries for data exfiltration bypasses traditional network monitoring tools that inspect HTTP/HTTPS traffic.
• Targeted credential harvesting: The malware focused on developer and cloud credentials, which are often highly privileged and less frequently rotated.

The TanStack Attack: CI/CD Pipeline Compromise

The TanStack attack, part of the same Mini Shai-Hulud campaign, targeted the popular React Query library's build and release pipeline. Attackers exploited weaknesses in GitHub Actions workflows and CI/CD configurations to publish malicious packages through legitimate release pipelines. OpenAI confirmed that two employee devices were compromised, leading to unauthorized access to internal source code repositories and exposure of code signing certificates for macOS, Windows, iOS, and Android.

Notably, the malware established persistence via Claude Code hooks and VS Code auto-run tasks, ensuring it would execute even after initial cleanup. OpenAI rotated code signing certificates as a precaution, requiring macOS users to update their desktop applications by June 12, 2026. While customer data and production systems were not impacted, the incident highlights how a single compromised dependency can cascade into a major security breach.

NIS2 and DORA Supply Chain Provisions: What They Require

Both the NIS2 Directive (EU 2022/2555) and DORA (Regulation EU 2022/2554) place significant emphasis on supply chain risk management. The attacks described above directly illustrate the gaps these regulations seek to close.

NIS2: Supply Chain Security for Essential and Important Entities

NIS2 applies to entities across 18 sectors, including energy, transport, health, digital infrastructure, and ICT service management. Key supply chain requirements include:

• Risk management measures (Article 21): Entities must adopt measures to manage risks in their supply chains, including security-related aspects of the relationships between each entity and its direct suppliers or service providers.
• Incident reporting (Article 23): Entities must report significant incidents within 24 hours (early warning) and 72 hours (full notification). The TanStack and node-ipc attacks, if they affected a NIS2 entity, would trigger these reporting obligations.
• Management accountability: Company management can be held personally liable for non-compliance, with penalties up to EUR 10 million or 2% of global turnover.

DORA: Digital Operational Resilience for Financial Entities

DORA, which applies from 17 January 2025, imposes even stricter requirements on financial entities, including banks, insurers, and investment firms. Key provisions relevant to supply chain attacks include:

• ICT risk management framework (Articles 5-16): Financial entities must establish a comprehensive framework covering all ICT systems, including those provided by third parties.
• Third-party ICT risk management (Articles 28-44): Entities must assess and monitor risks from ICT third-party providers, especially those providing critical or important functions. The use of open-source dependencies would fall under this scope.
• Incident reporting (Articles 17-23): Major ICT-related incidents must be reported to competent authorities within strict timelines.
• Digital operational resilience testing (Articles 24-27): Entities must conduct regular testing, including threat-led penetration testing, to identify vulnerabilities in their supply chain.

Both NIS2 and DORA implicitly require organizations to understand and control their software supply chain — including open-source dependencies — which is precisely where the TanStack and node-ipc attacks struck.

Practical Steps for Supply Chain Security Compliance

To meet NIS2 and DORA requirements and defend against attacks like those on TanStack and node-ipc, organizations should implement the following measures:

1. Software Bill of Materials (SBOM)

An SBOM provides a machine-readable inventory of all software components, including open-source dependencies. Under DORA, financial entities must have visibility into their ICT supply chain. Creating and maintaining SBOMs for all applications helps identify vulnerable or malicious components quickly. Tools like CycloneDX or SPDX formats are industry standards.

2. Dependency Scanning and Continuous Monitoring

Automated dependency scanning tools can detect known vulnerabilities and malicious packages in real-time. However, as the node-ipc attack showed, zero-day malicious packages may evade signature-based scanners. Behavioral analysis and runtime monitoring are essential. AIGovHub's CCM module provides continuous compliance monitoring with AI-native rule engines that can detect anomalous behavior across ERP and development environments, flagging potential supply chain compromises.

3. Vendor Risk Assessments for Open Source

NIS2 and DORA require organizations to assess the security of their suppliers — and open-source projects are effectively suppliers. Conduct due diligence on critical open-source dependencies: evaluate maintainer activity, security practices, and incident response history. Use AIGovHub's SENTINEL module to monitor geopolitical and supply chain risks that could affect open-source projects, such as maintainer compromise or malicious forks.

4. Secure CI/CD Pipelines

The TanStack attack exploited weaknesses in GitHub Actions workflows. Implement strict access controls, use signed commits, require multi-factor authentication for package publishing, and regularly audit CI/CD configurations. Consider using Universal Trust Hub for post-quantum identity and verifiable credentials to secure automated release processes.

5. Incident Response Planning

Both NIS2 and DORA mandate incident reporting within tight deadlines. Ensure your incident response plan covers supply chain compromise scenarios, including dependency poisoning and credential theft. Practice tabletop exercises that simulate a malicious package being discovered in your environment.

Key Takeaways

• Supply chain attacks are escalating: The TanStack and node-ipc incidents demonstrate that attackers are increasingly targeting open-source dependencies and CI/CD pipelines to gain broad access.
• NIS2 and DORA demand proactive supply chain risk management: Both regulations require entities to assess, monitor, and report on third-party and open-source risks.
• SBOMs, dependency scanning, and vendor assessments are foundational: These practices provide the visibility needed to detect and respond to supply chain compromises.
• Continuous monitoring and intelligence are critical: Tools like AIGovHub's CCM (for continuous controls monitoring) and SENTINEL (for geopolitical and supply chain risk intelligence) can help organizations stay ahead of emerging threats.

Strengthen Your Supply Chain Security with AIGovHub

Navigating NIS2 and DORA supply chain requirements is complex, but you don't have to do it alone. AIGovHub's CCM module provides automated controls monitoring across your ICT environment, helping you detect and remediate compliance gaps in real-time. Our SENTINEL module delivers geopolitical and supply chain risk intelligence, alerting you to threats like maintainer compromises or targeted attacks on open-source projects. Together, they form a comprehensive solution for software supply chain security.

Explore how AIGovHub can help you achieve NIS2 and DORA compliance. Visit our platform for a demo or try our interactive compliance tools today.

This content is for informational purposes only and does not constitute legal advice.