📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities in TanStack npm packages, resulting in a supply chain breach. The attack leveraged known security flaws, executed faster than defenses could respond, highlighting the risks of public research being weaponized.
On May 11, 2026, a supply chain attack on TanStack npm packages was executed by exploiting a chain of three publicly documented vulnerabilities, resulting in the publication of 84 malicious package versions within six minutes. This incident underscores how publicly available security research can be weaponized swiftly, outpacing defenders’ mitigation efforts.
The attack involved an attacker creating a malicious fork of TanStack/router on GitHub, then using a series of chained vulnerabilities—specifically, the pull_request_target “Pwn Request” pattern, cache poisoning across trust boundaries, and OIDC token extraction from runner memory—to exfiltrate credentials and publish malicious packages. Despite TanStack’s security measures, including 2FA and OIDC trusted publishing, the attacker successfully executed the chain without stealing npm tokens or compromising the publish workflow directly.
All three vulnerabilities had been publicly documented prior to the attack: the pull request pattern by GitHub Security Lab in 2021, cache poisoning by Adnan Khan in May 2024, and OIDC token extraction by StepSecurity in March 2025. Each was necessary for the attack, but none alone was sufficient; the chain depended on their combination to breach the trust boundaries within the CI/CD pipeline. The attacker created a fork, inserted malicious code, and triggered a pull request that exploited the trust in GitHub Actions workflows, ultimately gaining runtime access and exfiltrating credentials via an encrypted messaging network.
Three public vulnerabilities.
Chained.
The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.
84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.
Each bridges the trust boundary the others assumed.
PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.
pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem , extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.

Software Supply Chain Defense: Securing Build Environments, Toolchains, and CI/CD Infrastructure Against Advanced Threats
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
May 10 17:16 fork. May 11 19:50 detection.
From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.
PHASE
65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.PREP
pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.TRIGGER
65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.EXEC
Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.ACTIVE
b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review./proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.EXEC
@tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).BLAST
DETECTION
COMPLETE
npm package vulnerability scanner
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
160+ packages. One worm. Same threat actor.
The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.
May 2026 wave
weekly downloads
compromised May 12
fork → detection
registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.
Python Cybersecurity Automation Tips – Efficient security monitoring and penetration testing automation using scripts and tools – (Japanese Edition)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
IOCs · copy-pasteable for hunting queries.
The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.
bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.
Automating DevOps with GitLab CI/CD Pipelines: Build efficient CI/CD pipelines to verify, secure, and deploy your code using real-life examples
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Installed it? Rotate. Maintain packages? Audit.
Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.
- Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm
~/.npmrc, GitHub tokens, SSH private keys - Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
- Check outbound connections to
filev2.getsession.org·seed*.getsession.org - Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
- Audit
~/.claude/+.vscode/tasks.json· removerouter_runtime.js,setup.mjs git log --all --author=claude@users.noreply.github.com· revert if found- Run
npm token list· revoke unrecognized tokens
- Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
- Pin third-party action refs to commit SHAs ·
actions/checkout@8e5e7e5ab8...not@v6 - Separate cache scopes for trusted vs untrusted contexts · explicit
restore-keysandkeypatterns - Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
- Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
- Audit other repos for the same bundle-size.yml-style pattern
- Restrict
id-token: writeto only the publish step that needs it
- Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
- Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
- Audit lockfiles for
github:URLoptionalDependencies· unusual for production deps, exact pattern used here - CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
- Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
- Establish IR playbooks for OSS supply-chain compromise scenarios
Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.
Impact of Public Research on Supply Chain Security
This incident demonstrates that publicly available security research can be rapidly weaponized by attackers, leading to sophisticated supply chain compromises. It highlights the challenge for defenders to deploy mitigations faster than attackers can adapt, especially when multiple vulnerabilities are chained. The attack underscores the importance of re-evaluating trust boundaries and supply chain defenses in open-source ecosystems, as well as the need for faster response mechanisms to emerging threats.Broader Trends in 2026 Supply Chain Attacks
The TanStack incident is part of a broader wave of supply chain compromises in 2026, including over 160 packages affected in the Mini Shai-Hulud campaign, which also impacted companies like Mistral AI and UiPath. The attack leveraged well-known vulnerabilities that had been publicly documented over the previous 12 months, illustrating a persistent gap between security research publication and effective mitigation deployment. The same day as the TanStack breach, the Google Threat Intelligence Group disclosed a zero-day built by AI, further exemplifying the increasing sophistication and speed of offensive operations in the software supply chain.“The TanStack attack exemplifies how attacker tradecraft is now a direct composition of public research, executed faster than defenders can respond.”
— Thorsten Meyer, security researcher
Unclear Aspects of the Attack Chain and Future Risks
While the technical chain has been reconstructed based on available forensic data, some details about the attacker’s operational infrastructure and broader campaign scope remain unclear. It is not yet confirmed whether additional vulnerabilities or zero-days were involved beyond the publicly documented ones, or whether this attack is part of a larger coordinated effort using similar techniques.
Next Steps for Defenders and Open-Source Maintainers
Organizations should review their CI/CD pipelines, especially trust boundaries involving pull requests and package publishing workflows. Patching known vulnerabilities and implementing stricter code review processes are urgent priorities. The broader open-source ecosystem may also see increased scrutiny and development of mitigations for these chained vulnerabilities, alongside efforts to improve detection of malicious activity in supply chain processes.
Further research and collaboration are expected to focus on closing the gap between public research publication and rapid deployment of defenses, as well as developing tools to detect chained vulnerabilities before they can be exploited.
Key Questions
How did the attacker chain the vulnerabilities in the TanStack attack?
The attacker created a malicious fork, exploited the pull_request_target pattern, poisoned the cache across trust boundaries, and extracted OIDC tokens from the runner memory to exfiltrate credentials and publish malicious packages.
Were any tokens or credentials stolen during the attack?
No npm tokens were stolen; the attacker minted an OIDC token in memory and exfiltrated credentials via an encrypted messaging network, avoiding direct theft of stored secrets.
What makes this attack different from previous supply chain breaches?
This attack is notable for chaining multiple publicly documented vulnerabilities, demonstrating that the most impactful 2026 supply chain incidents are compositions of known flaws, rather than novel exploits.
Can organizations prevent similar attacks in the future?
Implementing stricter code review, patching known vulnerabilities, and improving detection of chained exploits are critical steps. Additionally, re-evaluating trust boundaries in CI/CD pipelines can reduce attack surfaces.
Source: ThorstenMeyerAI.com