📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
On May 11, 2026, attackers chained three publicly documented vulnerabilities to compromise TanStack npm packages within six minutes. This incident exemplifies how known security flaws can be weaponized swiftly, outpacing defenses.
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities to compromise the TanStack npm packages within six minutes, leveraging AI-augmented tradecraft and trusted CI/CD workflows. This incident underscores how known security flaws can be combined to execute sophisticated supply chain attacks faster than defenders can deploy mitigations, making it a critical event for software security.
The attack involved the creation of a malicious fork of TanStack/router by a threat actor using a compromised GitHub account. The attacker inserted malicious code via a crafted commit on May 10, which was later used to trigger the breach. On May 11, a pull request was opened against the main repository, activating GitHub Actions workflows configured to run on pull request events. The attacker exploited three vulnerabilities: the pull_request_target “Pwn Request” pattern, cache poisoning across fork and base trust boundaries, and extraction of OIDC tokens from GitHub Actions runner memory. These vulnerabilities, each documented in public research prior to the attack, were chained to bypass multiple security controls. The attacker minted an in-memory OIDC token and exfiltrated credentials via an encrypted messaging network, with no command-and-control infrastructure involved. The attack resulted in 84 malicious package versions published across 42 npm packages within six minutes, affecting the supply chain of the popular open-source library.
Three public vulnerabilities.
Chained.
The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.
84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.
Each bridges the trust boundary the others assumed.
PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.
pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem , extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.
software supply chain security tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
May 10 17:16 fork. May 11 19:50 detection.
From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.
PHASE
65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.PREP
pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.TRIGGER
65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.EXEC
Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.ACTIVE
b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review./proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.EXEC
@tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).BLAST
DETECTION
COMPLETE
GitHub security monitoring software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
160+ packages. One worm. Same threat actor.
The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.
May 2026 wave
weekly downloads
compromised May 12
fork → detection
registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.npm package vulnerability scanner
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
IOCs · copy-pasteable for hunting queries.
The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.
bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.code integrity verification tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Installed it? Rotate. Maintain packages? Audit.
Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.
- Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm
~/.npmrc, GitHub tokens, SSH private keys - Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
- Check outbound connections to
filev2.getsession.org·seed*.getsession.org - Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
- Audit
~/.claude/+.vscode/tasks.json· removerouter_runtime.js,setup.mjs git log --all --author=claude@users.noreply.github.com· revert if found- Run
npm token list· revoke unrecognized tokens
- Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
- Pin third-party action refs to commit SHAs ·
actions/checkout@8e5e7e5ab8...not@v6 - Separate cache scopes for trusted vs untrusted contexts · explicit
restore-keysandkeypatterns - Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
- Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
- Audit other repos for the same bundle-size.yml-style pattern
- Restrict
id-token: writeto only the publish step that needs it
- Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
- Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
- Audit lockfiles for
github:URLoptionalDependencies· unusual for production deps, exact pattern used here - CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
- Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
- Establish IR playbooks for OSS supply-chain compromise scenarios
Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.
Implications of Publicly Documented Vulnerabilities in Supply Chain Attacks
This incident demonstrates that publicly known vulnerabilities, when chained together, can enable highly effective, rapid supply chain compromises. It highlights the challenge for defenders: published research often becomes attacker tradecraft almost immediately, outpacing mitigation deployment. The attack on TanStack underscores the importance of addressing complex vulnerability chains and improving detection of suspicious CI/CD activity, especially in trusted workflows. It also signals that the most impactful supply chain incidents in 2026 are less about novel exploits and more about the sophisticated combination of existing research.
Pre-Existing Research and the 2026 Supply Chain Wave
Over the past year, multiple public research findings have detailed vulnerabilities in GitHub Actions and CI/CD trust boundaries. In March 2025, StepSecurity documented the extraction of OIDC tokens from GitHub Actions runner memory. In May 2024, Adnan Khan described cache poisoning across fork-base trust boundaries. These findings laid the groundwork for the May 11 attack, which combined these known issues into a chain that exploited the trust relationships within the CI/CD pipeline. The incident is part of a broader wave of supply chain compromises affecting over 160 packages, including high-profile entities like Mistral AI and UiPath, within the ongoing Mini Shai-Hulud campaign.
“The TanStack incident exemplifies how publicly documented vulnerabilities, when chained, can be weaponized faster than defenders can deploy mitigations, marking a new era of supply chain attack sophistication.”
— Thorsten Meyer
Remaining Questions About the Attack Chain and Mitigations
It is still unclear how quickly defenders can deploy effective mitigations against chained vulnerabilities like these. Details about the full scope of affected packages and whether other similar chains exist are still emerging. Additionally, the extent to which other open-source projects are vulnerable to similar chaining techniques remains unconfirmed, and the effectiveness of existing detection tools against such sophisticated attacks is under review.
Next Steps for Defense and Detection Strategies
Security teams will focus on improving detection of chained vulnerability exploits within CI/CD pipelines, especially in trusted workflows. Developers are urged to review and tighten access controls, monitor for suspicious pull requests, and implement better segregation of trust boundaries. Industry-wide, there will be an increased emphasis on analyzing publicly documented vulnerabilities for potential chaining, and on deploying rapid response protocols for supply chain incidents. Ongoing forensic analysis aims to identify if other packages have been similarly compromised or if new attack vectors are emerging.
Key Questions
How did attackers manage to exploit known vulnerabilities so quickly?
The attacker chained three publicly documented vulnerabilities—PR fork code crossing trust boundaries, cache poisoning, and OIDC token extraction—creating a seamless exploit pathway that was executed in minutes, outpacing typical mitigation efforts.
Are other npm packages at risk from similar chained attacks?
While this specific chain was tailored to TanStack, the underlying vulnerabilities are present in other projects. Security teams are advised to review their CI/CD configurations and monitor for suspicious activity.
What can open-source maintainers do to prevent such attacks?
Maintainers should implement stricter access controls, monitor pull requests from forks more vigilantly, and consider disabling or restricting pull_request_target workflows unless absolutely necessary.
Does this incident mean that public research is dangerous?
Public research is essential for security, but this incident illustrates that once vulnerabilities are known, they can be weaponized rapidly. The focus should be on timely mitigation and comprehensive security practices.
Source: ThorstenMeyerAI.com
