cbcvebase.
CVE-2026-45321
published 2026-05-12

CVE-2026-45321: On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The…

PriorityP191critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-06-10
Exploited in the wild
EPSS
2.34%
81.5th percentile
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Affected

511 ranges· showing 25
VendorProductVersion rangeFixed in
abhishake1supersurkhet_cli
abhishake1supersurkhet_cli
abhishake1supersurkhet_cli
abhishake1supersurkhet_cli
abhishake1supersurkhet_cli
abhishake1supersurkhet_cli
abhishake1supersurkhet_sdk
abhishake1supersurkhet_sdk
abhishake1supersurkhet_sdk
abhishake1supersurkhet_sdk
abhishake1supersurkhet_sdk
abhishake1supersurkhet_sdk
abhishake1taskflow-corp_cli
abhishake1taskflow-corp_cli
abhishake1taskflow-corp_cli
abhishake1taskflow-corp_cli
abhishake1taskflow-corp_cli
abhishake1taskflow-corp_cli
agentworkhqagentwork-cli
agentworkhqagentwork-cli
antoinebcxml-toolkit-ts
antoinebcxml-toolkit-ts
antoinebcxml-toolkit-ts_preprocessing
antoinebcxml-toolkit-ts_preprocessing
antoinebcxml-toolkit-ts_xgboost

Detection & IOCsextracted from sources · hover to see the quote

domainfilev2.getsession[.]org
domainseed1[.]getsession[.]org
domainapi.masscan[.]cloud
domaingit-tanstack.com
urlhttps://git-tanstack.com/transformers.pyz
ip83.142.209[.]194
filenamerouter_init.js
path/tmp/transformers.pyz
path.vscode/tasks.json
path~/.claude/settings.json
otherIfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner
otherShai-Hulud: Here We Go Again
otherniagA oG eW ereH :duluH-iahS
commandrm -rf ~/
version@opensearch-project/[email protected]
version@opensearch-project/[email protected]
version@opensearch-project/[email protected]
version@opensearch-project/[email protected]
version@squawk/[email protected]
version@squawk/[email protected]
version@squawk/[email protected]
version@tallyui/[email protected]
version@tallyui/[email protected]
version@tallyui/[email protected]
version@tallyui/[email protected]
version@tallyui/[email protected]
version@tallyui/[email protected]
version@vapi-ai/server-sdk (>408,000 monthly downloads, Phantom Gyp wave)
  • Detect writes to ~/.claude/settings.json and .vscode/tasks.json at install time — these are the persistence hooks used by Mini Shai-Hulud to survive reboots and re-execute the stealer on every IDE launch.
  • Alert on npm token creation where the token description is 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner' — this is the dead-man's switch token planted by the malware.
  • Monitor for periodic polling of api.github.com/user every 60 seconds from non-interactive processes — this is the dead-man's switch heartbeat checking whether the planted npm token has been revoked.
  • Detect outbound connections to filev2.getsession[.]org and seed1[.]getsession[.]org from CI/CD runners or developer workstations — these are the primary Session Protocol exfiltration endpoints.
  • Detect outbound connections to api.masscan[.]cloud from GitHub Actions runners — the malware injects workflows that upload serialized repository secrets to this server.
  • Flag GitHub commits authored by '[email protected]' in repositories not associated with Anthropic/Claude — this is the attacker-controlled dead-drop author identity used to exfiltrate stolen credentials via the GitHub GraphQL API.
  • Search GitHub repositories for the string 'Shai-Hulud: Here We Go Again' or its reversed form 'niagA oG eW ereH :duluH-iahS' — these are campaign marker strings used in attacker-controlled dead-drop repositories.
  • Detect presence of router_init.js inside npm package tarballs for @tanstack/* packages — this obfuscated file is the primary malware payload dropped in the TanStack wave.
  • Monitor install-time execution triggered by binding.gyp files and node-gyp hooks, not just package.json scripts — the Phantom Gyp variant specifically moved to this vector to evade scripts-only monitors.
  • Alert on GitHub Actions workflows that use pull_request_target triggers combined with cache restore steps — this is the chained attack path (Pwn Request + cache poisoning + OIDC extraction) used to hijack the TanStack release pipeline.
  • Detect the gh-token-monitor service being installed on developer endpoints — this is a persistence mechanism planted by the malware to continuously re-exfiltrate GitHub tokens.
  • Flag OIDC trusted publisher configurations scoped at the repository level rather than to a specific protected branch and workflow file — this misconfiguration was directly exploited to mint valid npm publish tokens from attacker-controlled workflow runs.
  • Search for PBKDF2 salt strings in JavaScript/TypeScript packages as a framework artifact indicator for Mini Shai-Hulud / TeamPCP tooling.
  • Detect downloads of /tmp/transformers.pyz followed by execution with python3 — this is the guardrails-ai payload drop sequence triggered on import.
  • ·Valid SLSA Build Level 3 provenance attestations were present on malicious packages — signed provenance alone cannot be used as a trust signal because the build pipeline itself was subverted from within.
  • ·Attribution to TeamPCP for the Red Hat / Miasma and Phantom Gyp waves is not definitive — vendors explicitly warn a copycat using the public Mini Shai-Hulud toolkit cannot be excluded.
  • ·Do NOT revoke the planted npm token before isolating and imaging the infected system — token revocation triggers a destructive rm -rf ~/ wiper routine.
  • ·The Visual Studio Marketplace verified-publisher badge was present on the malicious Nx Console v18.95.0 build — publisher verification cannot be treated as an install-time safety signal.
  • ·Detection patterns based solely on package.json scripts field monitoring will miss the Phantom Gyp variant, which moved to binding.gyp / node-gyp hooks specifically to evade such monitors.

CVSS provenance

nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.