📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities in TanStack npm packages, resulting in the publication of malicious package versions. The attack highlights how public research can be weaponized faster than defenses can respond.
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities to publish 84 malicious versions of TanStack npm packages within six minutes, despite the maintainers’ security measures. This incident underscores how publicly available research can be weaponized rapidly, outpacing defensive responses and illustrating the evolving threat landscape in software supply chains.
The attack targeted TanStack, a popular npm package ecosystem, by leveraging a chain of three vulnerabilities that had been publicly documented in prior research. The attacker created a malicious fork of the TanStack/router repository, used forged identities to commit malicious code, and exploited GitHub Actions workflows’ trust boundaries to exfiltrate credentials and publish malicious package versions.
Specifically, the attacker created a fork on May 10, 2026, with deliberate obfuscation, and committed a payload designed to exploit the pull_request_target pattern, a known security risk documented by GitHub Security Lab. The attacker then opened a pull request on May 11, triggering workflows that allowed malicious code to execute within the trusted build environment. Using an in-memory OIDC token, the attacker exfiltrated credentials via the Session Protocol, a secure messenger network, without needing to compromise the npm registry tokens or the publish workflow itself.
Public research had previously identified each of these vulnerabilities: the pull_request_target pattern (documented by GitHub Security Lab), cache poisoning across trust boundaries (by Adnan Khan in May 2024), and OIDC token extraction from GitHub Actions runners (by StepSecurity in March 2025). Each was necessary for the attack, but none alone was sufficient, illustrating how the chain of vulnerabilities created a new attack surface.
Three public vulnerabilities.
Chained.
The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.
84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.
Each bridges the trust boundary the others assumed.
PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.
pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem , extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.
npm package security scanner
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
May 10 17:16 fork. May 11 19:50 detection.
From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.
PHASE
65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.PREP
pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.TRIGGER
65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.EXEC
Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.ACTIVE
b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review./proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.EXEC
@tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).BLAST
DETECTION
COMPLETE

IoT Supply Chain Security Risk Analysis and Mitigation: Modeling, Computations, and Software Tools (SpringerBriefs in Computer Science)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
160+ packages. One worm. Same threat actor.
The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.
May 2026 wave
weekly downloads
compromised May 12
fork → detection
registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.
DevOps with GitHub Actions: A Practical Guide to Building Secure, Scalable, and Production-Ready CI/CD Automation Pipelines
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
IOCs · copy-pasteable for hunting queries.
The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.
bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.OIDC token exfiltration detection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Installed it? Rotate. Maintain packages? Audit.
Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.
- Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm
~/.npmrc, GitHub tokens, SSH private keys - Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
- Check outbound connections to
filev2.getsession.org·seed*.getsession.org - Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
- Audit
~/.claude/+.vscode/tasks.json· removerouter_runtime.js,setup.mjs git log --all --author=claude@users.noreply.github.com· revert if found- Run
npm token list· revoke unrecognized tokens
- Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
- Pin third-party action refs to commit SHAs ·
actions/checkout@8e5e7e5ab8...not@v6 - Separate cache scopes for trusted vs untrusted contexts · explicit
restore-keysandkeypatterns - Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
- Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
- Audit other repos for the same bundle-size.yml-style pattern
- Restrict
id-token: writeto only the publish step that needs it
- Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
- Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
- Audit lockfiles for
github:URLoptionalDependencies· unusual for production deps, exact pattern used here - CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
- Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
- Establish IR playbooks for OSS supply-chain compromise scenarios
Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.
Impact of Public Research on Supply-Chain Security
This incident demonstrates how publicly available security research can be rapidly weaponized by attackers, creating sophisticated exploits that outpace defenders’ ability to deploy mitigations. The attack on TanStack packages exemplifies a broader trend in 2026 where the most damaging supply-chain breaches are composed of known vulnerabilities combined in novel ways, emphasizing the need for proactive and layered security measures in open-source ecosystems.
For open-source maintainers and enterprise users, this underscores the importance of understanding the entire attack surface, including trust boundaries and supply-chain workflows. The incident also highlights the speed at which attacker tradecraft can evolve, leveraging existing research to execute high-impact attacks within minutes.
The 2026 Supply-Chain Attack Wave and Public Research Exploits
The May 2026 TanStack incident is part of a broader wave of supply-chain attacks that have targeted npm and other open-source ecosystems, with over 160 packages compromised in the ongoing Mini Shai-Hulud campaign. This campaign has seen attackers weaponize publicly documented vulnerabilities, such as GitHub Actions trust boundary flaws and OIDC token extraction methods, to execute high-impact breaches.
Prior to the TanStack attack, security researchers had publicly documented each of the three vulnerabilities involved. The pull_request_target pattern was identified as risky by GitHub Security Lab in 2021, cache poisoning was detailed by Adnan Khan in May 2024, and OIDC token exfiltration was described by StepSecurity in March 2025. The attack exemplifies how these known issues can be combined into a potent chain, illustrating the challenge of keeping defenses ahead of attacker tradecraft.
“The TanStack attack exemplifies how public research, if weaponized, can outpace defensive measures, especially when vulnerabilities are chained together.”
— Thorsten Meyer, security researcher
Unresolved Aspects of the TanStack Chain Exploit
While the technical chain has been reconstructed from forensic analysis, it remains unclear how widespread the exploitation was beyond the TanStack case, and whether additional packages or ecosystems have been similarly targeted using this chain of vulnerabilities. The full scope of attacker access and potential subsequent compromises are still under investigation.
Additionally, the effectiveness of current mitigations against such chained exploits and how quickly organizations can adapt remains uncertain, raising questions about the resilience of supply-chain defenses against rapid, research-based attacks.
Future Defense Strategies Against Chained Supply-Chain Attacks
Security teams and open-source maintainers are expected to prioritize the development and deployment of layered mitigations, including stricter review of pull requests, enhanced detection of trust boundary breaches, and improved runtime protections for CI/CD workflows. Ongoing research and collaboration between industry and academia will be essential to close gaps exposed by this incident.
Furthermore, organizations will likely increase efforts to monitor for known vulnerability chains and adopt proactive security measures to prevent similar exploits in the future. The incident underscores the importance of rapid response and the integration of security insights from public research into operational defenses.
Key Questions
How did the attacker exploit the vulnerabilities without stealing npm tokens?
The attacker created an in-memory OIDC token and exfiltrated credentials via the Session Protocol, avoiding the need to steal npm tokens or compromise the publish workflow directly.
Are all npm packages vulnerable to this type of attack?
Not all packages are vulnerable, but any that rely on trust boundaries within CI/CD workflows and use GitHub Actions are at risk if they do not implement strict security controls against known patterns like pull_request_target and trust boundary violations.
What measures can maintainers take to prevent similar attacks?
Maintainers should review and restrict the use of pull_request_target workflows, implement strict code review policies, enable runtime protections, and monitor for suspicious activity related to trust boundary crossings.
Is this attack specific to TanStack or relevant to other ecosystems?
The attack chain leverages publicly documented vulnerabilities applicable across many projects using GitHub Actions and similar CI/CD pipelines, making it a broader concern beyond TanStack.
Source: ThorstenMeyerAI.com