📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.
TL;DR
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities in TanStack npm packages, leading to a large-scale supply chain compromise. The attack leveraged known flaws in GitHub Actions and npm workflows, highlighting the speed at which attacker tradecraft can evolve from research to operational use.
On May 11, 2026, attackers exploited a chain of three publicly documented vulnerabilities within TanStack’s npm package workflows, resulting in a widespread supply chain compromise. This incident underscores how publicly available research can be weaponized rapidly, outpacing defenders’ mitigation efforts and illustrating the evolving threat landscape for open-source ecosystems.
The attack was executed through a series of chained vulnerabilities in the TanStack/npm ecosystem, including the pull_request_target pattern, cache poisoning across trust boundaries, and extraction of OIDC tokens from GitHub Actions runners. The attacker created a malicious fork of TanStack/router on May 10, then inserted a payload via a commit on the same day, before triggering the malicious workflow on May 11. Despite robust security measures—such as 2FA and OIDC trusted publishing—the chain of vulnerabilities allowed the attacker to mint tokens and exfiltrate credentials without stealing npm tokens or compromising the publish workflow itself.
Research from GitHub Security Lab, Adnan Khan, and StepSecurity, published between March 2025 and May 2024, had already documented each of these vulnerabilities individually. The attack combined these known issues in a way that none alone would have enabled compromise, but together created an exploitable chain. The incident is part of a broader wave of supply chain attacks in May 2026, affecting over 160 packages across various vendors, including Mistral AI and UiPath.
Three public vulnerabilities.
Chained.
The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.
84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.
Each bridges the trust boundary the others assumed.
PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.
pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem , extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.

Network Vulnerability Assessment: Identify security loopholes in your network's infrastructure
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
May 10 17:16 fork. May 11 19:50 detection.
From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.
PHASE
65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.PREP
pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.TRIGGER
65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.EXEC
Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.ACTIVE
b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review./proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.EXEC
@tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).BLAST
DETECTION
COMPLETE
160+ packages. One worm. Same threat actor.
The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.
May 2026 wave
weekly downloads
compromised May 12
fork → detection
registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.IOCs · copy-pasteable for hunting queries.
The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.
bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.Installed it? Rotate. Maintain packages? Audit.
Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.
- Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm
~/.npmrc, GitHub tokens, SSH private keys - Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
- Check outbound connections to
filev2.getsession.org·seed*.getsession.org - Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
- Audit
~/.claude/+.vscode/tasks.json· removerouter_runtime.js,setup.mjs git log --all --author=claude@users.noreply.github.com· revert if found- Run
npm token list· revoke unrecognized tokens
- Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
- Pin third-party action refs to commit SHAs ·
actions/checkout@8e5e7e5ab8...not@v6 - Separate cache scopes for trusted vs untrusted contexts · explicit
restore-keysandkeypatterns - Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
- Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
- Audit other repos for the same bundle-size.yml-style pattern
- Restrict
id-token: writeto only the publish step that needs it
- Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
- Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
- Audit lockfiles for
github:URLoptionalDependencies· unusual for production deps, exact pattern used here - CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
- Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
- Establish IR playbooks for OSS supply-chain compromise scenarios
Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.
Implications of Chained Public Vulnerabilities in Supply Chains
This incident demonstrates that publicly documented vulnerabilities can be weaponized at scale within days, emphasizing the importance of rapid mitigation and the limits of current security practices. It highlights the need for the open-source ecosystem to reevaluate trust boundaries and implement more resilient controls. The attack also exemplifies how AI-augmented attacker tradecraft accelerates the exploitation cycle, making traditional detection and response methods insufficient against such rapid, layered threats.
Broader May 2026 Supply Chain Attack Wave and Known Vulnerabilities
The May 2026 incident is part of a larger campaign targeting open-source package ecosystems, with over 160 packages compromised in a matter of weeks. Prior research from GitHub Security Lab, Adnan Khan, and StepSecurity had already identified and published details on the vulnerabilities exploited: the pull_request_target pattern (2021), cache poisoning across trust boundaries (2024), and OIDC token extraction from runners (2025). These findings created a knowledge base that attackers quickly weaponized, illustrating the research-to-tradecraft compression problem where knowledge becomes operationalized faster than defenses can adapt.
The incident coincides with the disclosure of the first AI-built zero-day by Google Threat Intelligence Group, marking a convergence of AI-augmented offensive capabilities across different attack vectors. TanStack’s security-conscious team, despite employing best practices, was compromised because the attack exploited the structural trust boundaries bridged by these vulnerabilities.
“The TanStack incident exemplifies how publicly available research can be rapidly weaponized, creating a new paradigm in supply chain security risks.”
— Thorsten Meyer
Unresolved Aspects of the Chain Exploitation
While the chain of vulnerabilities has been reconstructed from forensic analysis, details remain incomplete regarding the attacker’s full operational infrastructure and whether additional undisclosed vulnerabilities contributed. It is not yet confirmed if other packages or workflows were targeted or if similar chains could be exploited elsewhere within the ecosystem. The extent of the attack’s persistence and post-compromise activities are still under investigation.
Next Steps for Mitigation and Ecosystem Resilience
Security researchers and organizations will focus on developing mitigations for the chain of vulnerabilities, including stricter controls around fork trust boundaries, enhanced monitoring of GitHub Actions workflows, and faster patch deployment. The incident is likely to prompt revisions in security guidelines for open-source maintainers and enterprise consumers. Additionally, further analysis is expected to identify whether other packages or ecosystems have been similarly compromised, and to develop tools for detecting chained vulnerabilities proactively.
Key Questions
How did attackers exploit the chain of vulnerabilities in TanStack?
The attacker created a malicious fork, inserted a payload via a crafted commit, and triggered a GitHub Actions workflow that exploited known vulnerabilities in PR trust boundaries, cache poisoning, and OIDC token extraction, allowing credential exfiltration without stealing npm tokens.
Are these vulnerabilities still present in other packages?
Many of these vulnerabilities are publicly documented and potentially present in other packages. Organizations should review their workflows and trust boundaries, especially in open-source ecosystems, to identify similar risks.
What can maintainers do to prevent similar attacks?
Implement stricter review processes for forks, restrict trust boundaries in CI/CD pipelines, monitor for suspicious activity, and apply timely patches for known vulnerabilities. Continuous security audits are essential.
Does this incident indicate a failure of existing security measures?
Yes, it demonstrates that even well-secured projects can be compromised through complex chains of known vulnerabilities, highlighting the need for layered defenses and rapid response to published research.
Source: ThorstenMeyerAI.com