CVE-2026-45321

What is TanStack?

TanStack is an open-source collection of TypeScript/JavaScript libraries for building modern web applications, widely used in enterprise React, Vue, and Solid ecosystems. The Router and Start packages (part of TanStack's routing monorepo) are used by millions of developers worldwide through packages such as @tanstack/react-router, @tanstack/vue-router, and @tanstack/react-start. The libraries are maintained by Tanner Linsley and a network of open-source contributors.

Overview

CVE-2026-45321 is a supply-chain compromise in which attackers published 84 malicious versions of 42 TanStack npm packages on May 11, 2026, using a three-step attack chain that exploited GitHub Actions' pull_request_target workflow trust model to extract an OIDC token from CI runner process memory and publish directly to npm without human interaction. The malicious packages contained a credential-stealing worm that self-propagated to 170+ other npm and PyPI packages — the first documented case of a malicious npm package carrying valid SLSA Sigstore provenance. CISA added the CVE to the KEV catalog on May 27, 2026.

The threat actor group TeamPCP (aliases: DeadCatx3, PCPcat, ShellForce, CipherForce) executed the campaign, internally named "Mini Shai-Hulud", as part of a series of supply-chain attacks beginning March 2026.

Affected Versions

Not affected: Query, Table, Form, Virtual, and Store TanStack libraries (separate monorepos).

All 84 malicious versions were deprecated within 59 minutes of publication; npm removed the tarballs server-side by 23:55 UTC on May 11.

Technical Details

The attack chained three techniques to achieve unauthenticated npm publish without any compromised human credentials:

1. Pwn Request (pull_request_target abuse) The bundle-size.yml GitHub Actions workflow used the pull_request_target trigger, which allows fork-submitted code to execute in the base repository's privileged context without maintainer approval. An attacker-controlled fork submitted a pull request containing a malicious pnpm lock file.

2. GitHub Actions Cache Poisoning The workflow's post-job step persisted the pnpm module cache without integrity validation. The malicious fork commit wrote a ~2.3 MB obfuscated payload into the cache, crossing the fork/base trust boundary and persisting into subsequent workflow runs on the main repository.

3. OIDC Token Memory Extraction When the legitimate release workflow ran and restored the poisoned cache, attacker-controlled binaries executed within the runner's process context. They extracted a live GitHub Actions Runner OIDC token from process memory via /proc/<pid>/mem. This token was used directly to publish 84 package versions to npm without any human interaction or compromised npm credentials.

Self-propagating worm behavior After credential exfiltration, the malware queried npm's registry to enumerate other packages maintained by the same organization and republished them with identical injections, spreading to @mistralai/mistralai, @uipath/*, @opensearch-project/opensearch, guardrails-ai (PyPI), and 100+ additional packages across npm and PyPI (518M+ cumulative downloads affected). All malicious versions carried valid Sigstore signatures — the first documented case of SLSA-provenance-bearing malware.

Exfiltration used end-to-end encrypted Session/Oxen messenger. IOC domains: filev2.getsession.org, seed1-3.getsession.org. Attacker GitHub accounts: zblgg (id 127806521), voicproducoes (id 269549300).

Discovery

Security researcher ashishkurmi publicly disclosed IOCs via GitHub issue #7383 within 26 minutes of the malicious publishes. StepSecurity provided attribution analysis linking the campaign to TeamPCP, which had previously executed similar attacks against Aqua Security Trivy (March 2026) and the Bitwarden CLI npm package (April 2026).

Exploitation Context

Actively exploited. Credentials harvested from TanStack's CI environment were immediately weaponized: stolen developer GitHub tokens were used within seven days to compromise Nx Console (CVE-2026-48027), breach approximately 3,800 GitHub internal repositories, and compromise developer machines at OpenAI, Grafana Labs, and Mistral AI. The worm simultaneously hit 170+ packages across npm and PyPI.

Remediation

1. Audit installed packages — check npm ls @tanstack/react-router (and related packages) for versions 1.169.5 or 1.169.8; update to the latest clean release.
2. Rotate all secrets accessible from CI/CD environments that ran TanStack packages between May 11–12, 2026.
3. Audit GitHub Actions workflows — remove pull_request_target from any workflow that checks out or runs code from untrusted forks. Add an explicit guard: if: github.event.pull_request.head.repo.full_name == github.repository.
4. Disable GitHub Actions cache restore from forks — add save-always: false to cache steps in pull_request_target workflows and validate cache keys cryptographically.
5. Block IOC domains at the network perimeter: filev2.getsession.org, seed1-3.getsession.org, and related Session/Oxen infrastructure.
6. For federal agencies: apply mitigations per vendor instructions before June 10, 2026.