📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
In May 2026, attackers exploited a chain of three publicly known vulnerabilities to compromise TanStack npm packages within minutes. This incident exemplifies how public research can be weaponized faster than defenses can adapt.
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities to compromise TanStack npm packages within a six-minute window, without theft of npm tokens or direct repository breach. This attack demonstrates how publicly available research can be rapidly weaponized, outpacing defenders’ mitigation efforts, and underscores the evolving threat landscape driven by AI-augmented attack tradecraft.
The attack involved chaining three known vulnerabilities: the pull_request_target “Pwn Request” pattern, cache poisoning across trust boundaries, and OIDC token extraction from GitHub Actions runners. Each vulnerability was independently documented in public security research before the incident, with the earliest findings from March 2025.
On May 10, 2026, the attacker created a malicious fork of TanStack/router, using operational tradecraft such as renaming to evade detection. The attacker then injected a malicious commit containing a large JavaScript payload, which was later fetched during the release workflow.
On May 11, 2026, the attacker triggered a pull request and leveraged GitHub Actions workflows configured with pull_request_target, enabling code crossing trust boundaries. The attacker minted an in-memory OIDC token and exfiltrated credentials via the Session Protocol, a secure messaging network, without compromising the npm registry or stealing tokens. The attack was executed within six minutes from fork creation to package publication.
Three public vulnerabilities.
Chained.
The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.
84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.
Each bridges the trust boundary the others assumed.
PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.
pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem , extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.

Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
May 10 17:16 fork. May 11 19:50 detection.
From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.
PHASE
65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.PREP
pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.TRIGGER
65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.EXEC
Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.ACTIVE
b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review./proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.EXEC
@tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).BLAST
DETECTION
COMPLETE

Accelerate DevOps with GitHub: Enhance software delivery performance with GitHub Issues, Projects, Actions, and Advanced Security
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
160+ packages. One worm. Same threat actor.
The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.
May 2026 wave
weekly downloads
compromised May 12
fork → detection
registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.npm package security audit
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
IOCs · copy-pasteable for hunting queries.
The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.
bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Installed it? Rotate. Maintain packages? Audit.
Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.
- Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm
~/.npmrc, GitHub tokens, SSH private keys - Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
- Check outbound connections to
filev2.getsession.org·seed*.getsession.org - Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
- Audit
~/.claude/+.vscode/tasks.json· removerouter_runtime.js,setup.mjs git log --all --author=claude@users.noreply.github.com· revert if found- Run
npm token list· revoke unrecognized tokens
- Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
- Pin third-party action refs to commit SHAs ·
actions/checkout@8e5e7e5ab8...not@v6 - Separate cache scopes for trusted vs untrusted contexts · explicit
restore-keysandkeypatterns - Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
- Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
- Audit other repos for the same bundle-size.yml-style pattern
- Restrict
id-token: writeto only the publish step that needs it
- Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
- Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
- Audit lockfiles for
github:URLoptionalDependencies· unusual for production deps, exact pattern used here - CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
- Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
- Establish IR playbooks for OSS supply-chain compromise scenarios
Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.
Implications of Chain-Linked Public Vulnerabilities in Supply Chain Attacks
This incident highlights how publicly documented vulnerabilities, when chained together, can be weaponized rapidly against open-source projects. It underscores the challenge for defenders to keep pace with the speed at which attacker tradecraft evolves, especially when leveraging AI to combine known weaknesses into effective exploits. The attack exemplifies a broader trend in 2026 where the most impactful supply chain incidents are less about new vulnerabilities and more about the composition of existing research, executed faster than mitigation measures can deploy.
Public Research as a Foundation for Rapid Exploits in 2026
The May 2026 TanStack attack is part of a wave of supply chain compromises that rely on chaining publicly available security research. The three vulnerabilities involved had been individually documented: the pull_request_target pattern in GitHub Actions (by GitHub Security Lab, 2019), cache poisoning across trust boundaries (by Adnan Khan, 2024), and OIDC token extraction from runners (by StepSecurity, 2025). The attack demonstrates how attackers combine these known issues into a single, effective chain, exploiting the ecosystem’s slow mitigation deployment.
This incident is also aligned with the broader Mini Shai-Hulud campaign, which compromised over 160 packages, including TanStack, Mistral AI, UiPath, and Squawk. The same day as the Google Threat Intelligence Group disclosed an AI-built zero-day, the attack exemplifies the convergence of AI-augmented offensive capabilities with known research, accelerating the pace of supply chain breaches.
“The TanStack incident exemplifies how public research is rapidly weaponized, outpacing defensive responses and transforming known vulnerabilities into sophisticated attack chains.”
— Thorsten Meyer
Uncertainties About Full Extent and Future Mitigations
It remains unclear whether additional vulnerabilities or attack vectors were involved beyond those publicly documented. The full scope of compromised packages and the impact on affected projects is still being assessed. Additionally, the speed at which defenders can deploy mitigations against such chained exploits remains uncertain, raising questions about the ecosystem’s resilience to future AI-augmented attacks.
Next Steps for Detection, Mitigation, and Defense Strategies
Security teams are expected to analyze the attack chain in detail and develop targeted mitigations for each vulnerability. Increased emphasis on rapid detection of chained vulnerabilities, improved code review practices, and automated defenses against trust boundary crossing are likely to be prioritized. The incident also underscores the need for proactive measures in open-source ecosystems to identify and patch known vulnerabilities before they can be weaponized in such combinations.
Key Questions
How did the attacker chain these vulnerabilities so quickly?
The attacker exploited publicly documented vulnerabilities that, when combined, allowed crossing trust boundaries within the CI/CD pipeline. The attacker created a malicious fork, injected payloads, and triggered workflows that leveraged known weaknesses, executing the chain within minutes.
Were any npm tokens stolen during the attack?
No, the attack did not involve theft of npm tokens. The attacker minted an OIDC token in memory and exfiltrated credentials via the Session Protocol, without compromising registry credentials.
What makes this attack different from previous supply chain breaches?
This attack demonstrates how publicly available research can be rapidly combined and weaponized, with no novel tradecraft involved. It exemplifies the speed at which AI-augmented attackers can execute complex chains of known vulnerabilities.
What are the operational lessons for open-source maintainers?
Maintainers should enhance detection of suspicious fork activity, review trust boundary configurations, and implement faster mitigation strategies for known vulnerabilities to prevent chaining attacks.
Source: ThorstenMeyerAI.com