CVE-2026-45321
published 2026-05-12CVE-2026-45321: On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The…
PriorityP191critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2026-06-10
Exploited in the wild
EPSS
2.34%
81.5th percentile
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Affected
511 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_cli | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | supersurkhet_sdk | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| abhishake1 | taskflow-corp_cli | — | — |
| agentworkhq | agentwork-cli | — | — |
| agentworkhq | agentwork-cli | — | — |
| antoinebcx | ml-toolkit-ts | — | — |
| antoinebcx | ml-toolkit-ts | — | — |
| antoinebcx | ml-toolkit-ts_preprocessing | — | — |
| antoinebcx | ml-toolkit-ts_preprocessing | — | — |
| antoinebcx | ml-toolkit-ts_xgboost | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect writes to ~/.claude/settings.json and .vscode/tasks.json at install time — these are the persistence hooks used by Mini Shai-Hulud to survive reboots and re-execute the stealer on every IDE launch. ↗
- →Alert on npm token creation where the token description is 'IfYouRevokeThisTokenItWillWipeTheComputerOfTheOwner' — this is the dead-man's switch token planted by the malware. ↗
- →Monitor for periodic polling of api.github.com/user every 60 seconds from non-interactive processes — this is the dead-man's switch heartbeat checking whether the planted npm token has been revoked. ↗
- →Detect outbound connections to filev2.getsession[.]org and seed1[.]getsession[.]org from CI/CD runners or developer workstations — these are the primary Session Protocol exfiltration endpoints. ↗
- →Detect outbound connections to api.masscan[.]cloud from GitHub Actions runners — the malware injects workflows that upload serialized repository secrets to this server. ↗
- →Flag GitHub commits authored by '[email protected]' in repositories not associated with Anthropic/Claude — this is the attacker-controlled dead-drop author identity used to exfiltrate stolen credentials via the GitHub GraphQL API. ↗
- →Search GitHub repositories for the string 'Shai-Hulud: Here We Go Again' or its reversed form 'niagA oG eW ereH :duluH-iahS' — these are campaign marker strings used in attacker-controlled dead-drop repositories. ↗
- →Detect presence of router_init.js inside npm package tarballs for @tanstack/* packages — this obfuscated file is the primary malware payload dropped in the TanStack wave. ↗
- →Monitor install-time execution triggered by binding.gyp files and node-gyp hooks, not just package.json scripts — the Phantom Gyp variant specifically moved to this vector to evade scripts-only monitors. ↗
- →Alert on GitHub Actions workflows that use pull_request_target triggers combined with cache restore steps — this is the chained attack path (Pwn Request + cache poisoning + OIDC extraction) used to hijack the TanStack release pipeline. ↗
- →Detect the gh-token-monitor service being installed on developer endpoints — this is a persistence mechanism planted by the malware to continuously re-exfiltrate GitHub tokens. ↗
- →Flag OIDC trusted publisher configurations scoped at the repository level rather than to a specific protected branch and workflow file — this misconfiguration was directly exploited to mint valid npm publish tokens from attacker-controlled workflow runs. ↗
- →Search for PBKDF2 salt strings in JavaScript/TypeScript packages as a framework artifact indicator for Mini Shai-Hulud / TeamPCP tooling. ↗
- →Detect downloads of /tmp/transformers.pyz followed by execution with python3 — this is the guardrails-ai payload drop sequence triggered on import. ↗
- ·Valid SLSA Build Level 3 provenance attestations were present on malicious packages — signed provenance alone cannot be used as a trust signal because the build pipeline itself was subverted from within. ↗
- ·Attribution to TeamPCP for the Red Hat / Miasma and Phantom Gyp waves is not definitive — vendors explicitly warn a copycat using the public Mini Shai-Hulud toolkit cannot be excluded. ↗
- ·Do NOT revoke the planted npm token before isolating and imaging the infected system — token revocation triggers a destructive rm -rf ~/ wiper routine. ↗
- ·The Visual Studio Marketplace verified-publisher badge was present on the malicious Nx Console v18.95.0 build — publisher verification cannot be treated as an install-time safety signal. ↗
- ·Detection patterns based solely on package.json scripts field monitoring will miss the Phantom Gyp variant, which moved to binding.gyp / node-gyp hooks specifically to evade such monitors. ↗
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vulncheck9.6CRITICAL
cisa9.6CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
ghsa·2026-05-12
CVE-2026-45321 [CRITICAL] CWE-506 Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
## Summary
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 `@tanstack/*` packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for `TanStack/router`, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a `pull_request_target` "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity.
Each affected package received exactly two mali
VulnCheck
TanStack Unspecified Vulnerability
vulncheck·2026·CVSS 9.6
CVE-2026-45321 [CRITICAL] TanStack Unspecified Vulnerability
TanStack Unspecified Vulnerability
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Affected: TanStack TanStack
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://nefariousplan.com/posts/tanstack-cve-2026-45321-bundle-size-poisoned-release-restored; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-06-10
CISA
TanStack Unspecified Vulnerability
cisa·2026-05-27·CVSS 9.6
CVE-2026-45321 [CRITICAL] TanStack Unspecified Vulnerability
Vulnerability: TanStack Unspecified Vulnerability
Affected: TanStack TanStack
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx ; https://nvd.nist.gov/vuln/detail/CVE-2026-45321
Remediation D
No detection rules found.
No public exploits indexed.
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
blogs_sans_isc·2026-06-08
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-06-07, (Mon, Jun 8th)
TeamPCP Supply Chain Campaign: Activity Through 2026-06-07
Published: 2026-06-08. Last Updated: 2026-06-08 17:07:37 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
This diary continues the Internet Storm Center's tracking of the TeamPCP supply chain campaign, first documented in the SANS white paper When the Security Scanner Became the Weapon and most recently in the handler diary Activity Through 2026-05-24. Since that update, the story moved into two new places: the United States government, which formally caught up to the campaign, and the wider population of attackers now wielding the Mini Shai-Hulud framework that TeamPCP open-sourced last month.
Bottom line up front
Two developments stand out since the last update. First, the federal response that prior coverage flagged as cons
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
blogs_sans_isc·2026-05-25
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24
Published: 2026-05-25. Last Updated: 2026-05-25 13:25:47 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
TeamPCP now operates across three package ecosystems in parallel, it reached GitHub's own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.
Bottom line up front
Three escalations stacked inside a single week. First, GitHub's CISO Alexis Wales publicly named a malicious Nx Console VS Code extension build (v18.95.0, publisher nrwl.angular-console, verified-publisher badge, roughly 2.2 million installs) as the root of an intrusion that exfiltrated approximately 3,800 GitHub-internal repositories; OpenAI, Grafana Labs, and Mistral AI
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
blogs_sans_isc·2026-05-25
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-24, (Mon, May 25th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24
Published: 2026-05-25. Last Updated: 2026-05-25 13:26:06 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
TeamPCP now operates across three package ecosystems in parallel, it reached GitHub's own internal codebase, it trojanized an officially Microsoft-published Python SDK, and it appears to have open-sourced its own framework on GitHub.
Bottom line up front
Three escalations stacked inside a single week. First, GitHub's CISO Alexis Wales publicly named a malicious Nx Console VS Code extension build (v18.95.0, publisher nrwl.angular-console, verified-publisher badge, roughly 2.2 million installs) as the root of an intrusion that exfiltrated approximately 3,800 GitHub-internal repositories; OpenAI, Grafana Labs, and Mistral AI
Tenable
Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign
blogs_tenable·2026-05-21
CVE-2026-45321 Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Mini Shai-Hulud: Frequently asked questions about the TeamPCP npm and PyPI supply chain campaign
A self-propagating worm has compromised more than 170 npm and PyPI packages, defeating provenance attestation and breaching OpenAI and Mistral AI. Here is what you need to know.
## Key takeaways
Sans Isc
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
blogs_sans_isc·2026-05-18
CVE-2026-45321 TeamPCP Supply Chain Campaign: Activity Through 2026-05-17, (Mon, May 18th)
TeamPCP Supply Chain Campaign: Activity Through 2026-05-17
Published: 2026-05-18. Last Updated: 2026-05-18 20:08:00 UTC
by Kenneth Hartman (Version: 1)
0 comment(s)
Since the last update, the TeamPCP supply chain campaign produced its loudest stretch since the March Trivy disclosure: an officially confirmed Checkmarx Jenkins plugin compromise and a new self-spreading Mini Shai-Hulud worm across npm and PyPI.
Bottom line up front
Two TeamPCP events broke within 48 hours of each other and doubled attention on the campaign. Checkmarx confirmed its Jenkins AST plugin was trojanized, its third compromise in three months, validating an earlier single-researcher claim. In parallel, a new Mini Shai-Hulud worm poisoned roughly 170 npm and PyPI packages (42 @tanstack packages in about six minut
Hackernews
Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
blogs_hackernews·2026-05-12
CVE-2026-45321 Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages
TeamPCP , the threat actor behind the recentsupply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign.
The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution environment and launch a comprehensive credential stealer capable of targeting cloud providers, cryptocurrency wallets, AI tools, messaging apps, and CI syst
https://github.com/TanStack/router/issues/7383https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpxhttps://tanstack.com/blog/npm-supply-chain-compromise-postmortemhttps://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystemhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321
2026-05-12
Published
2026-05-27
Added to CISA KEV
Exploited in the wild