📊 Full opportunity report: Three Public Vulnerabilities. Chained. on ThorstenMeyerAI.com — validation score, market gap, and execution plan.

On May 11, 2026, attackers exploited a chain of three publicly documented security vulnerabilities to compromise the TanStack npm packages within a six-minute window. The attack involved creating a malicious fork, injecting payloads via pull requests, and exfiltrating credentials through a trusted GitHub Actions workflow, despite the maintainers’ security measures. This incident underscores the speed at which publicly known vulnerabilities can be weaponized in supply-chain attacks.

The attack was carried out on May 11, 2026, by a malicious actor who created a fork of TanStack/router and inserted a malicious commit. Using a forged author identity, the attacker then opened a pull request that triggered the package release workflow. The attacker leveraged three known vulnerabilities: the pull_request_target “Pwn Request” pattern, cache poisoning across fork-base trust boundaries, and OIDC token extraction from GitHub Actions runners. Each vulnerability had been publicly documented before the attack, with the chain enabling the attacker to exfiltrate credentials without stealing npm tokens or compromising the publish process directly.

Despite the TanStack team employing two-factor authentication and OIDC trusted publishing, the chain of vulnerabilities allowed the attacker to bypass these defenses by exploiting the trust boundaries between forked code, cached workflows, and runtime environments. The attack was detected 28 hours after initial compromise, with the malicious versions published across 42 npm packages.

DISPATCH / MAY 2026 SECURITY · TANSTACK FORENSICS · 3 PUBLIC VULNS · PART 7

▲ Part 7 · Security TanStack Forensics · May 2026

Software Security · Part 7 · The TanStack Forensic Case Study

Three public vulnerabilities.
Chained.

The TanStack npm compromise of May 11, 2026 — published research recombined into working tradecraft, weaponized faster than defenders deploy mitigations.

84 malicious versions across 42 packages. Six-minute publish window. No npm tokens stolen. OIDC minted in memory and exfiltrated via Session Protocol. Three vulnerabilities chained — each documented in public research 12-24 months before the attack. Same date as the GTIG zero-day disclosure. The composition is the attack surface.

Thorsten Meyer / ThorstenMeyerAI.com / May 2026 · Part 7

▲ The research-to-tradecraft compression problem

Three pieces of public research. 12 months between the latest and the attack. Zero novel attacker tradecraft. The defender’s deployment of mitigations runs slower than the attacker’s composition of published research. The TanStack incident is the canonical 2026 empirical example.

— software security · the TanStack forensic case study · part 7 · may 2026

84/42

Malicious versions · 42 packages compromised

Two versions per package · 6-minute publish window · @tanstack/react-router 12M weekly downloads

12mo

Latest published research to attack composition

Adnan Khan cache poisoning May 2024 · tj-actions OIDC extraction March 2025

20min

Publish to external detection · Socket flagged in 6 min

Ashish Kurmi · StepSecurity · GitHub issue #7383 · IOC pattern published immediately

160+

Packages in broader Mini Shai-Hulud campaign · May 2026

TanStack · UiPath · Squawk · Mistral AI · DraftLab · Intercom-client · TeamPCP

● MAY 11 2026 19:20:39 UTC · FIRST PUBLISH WAVE · 19:26:14 SECOND PUBLISH WAVE · 6 MINUTES BETWEEN ● THREE VULNS PULL_REQUEST_TARGET PWN REQUEST · CACHE POISONING ACROSS TRUST BOUNDARY · OIDC MEMORY EXTRACTION ● SAME DATE AS GTIG ZERO-DAY DISCLOSURE · TWO AI-AUGMENTED OFFENSIVE EVENTS ON MAY 11 · REMARKABLE CONFLUENCE ● MINI SHAI-HULUD 160+ PACKAGES · TANSTACK · UIPATH · SQUAWK · MISTRAL AI · INTERCOM-CLIENT 361K WEEKLY · SELF-PROPAGATING WORM ● SLSA L3 FIRST DOCUMENTED VALID-ATTESTATION NPM WORM · NPM AUDIT SIGNATURES PASSES FOR MALICIOUS PACKAGES ● DEFENDER ACTIONS ROTATE EVERYTHING · AUDIT PULL_REQUEST_TARGET · PIN SHAS · MOVE OFF OIDC TO SHORT-LIVED TOKENS ● MAY 11 2026 19:20 UTC · 84 VERSIONS / 42 PACKAGES · OIDC IN-MEMORY MINT · SESSION PROTOCOL EXFIL

The structural argument · three known vulnerabilities, none sufficient alone

Each bridges the trust boundary the others assumed.

PR fork code crossing into base-repo cache. Base-repo cache crossing into release-workflow runtime. Release-workflow runtime crossing into npm registry write access. The composition only works because each vulnerability bridges the trust boundary the others assumed.

Three public vulnerabilities chained · each necessary, none sufficient

Every component was documented in public research before the attack. The TanStack postmortem explicitly notes the attacker reused verbatim code (with attribution comment preserved) from prior research disclosures.

▲ Vuln 01

pull_request_target · the Pwn Request pattern

BRIDGES: Fork code → base-repo cache

bundle-size.yml ran pull_request_target for fork PRs and checked out the fork’s PR-merge ref to run a build. Bypasses first-time-contributor approval gate. Author attempted trust split but missed that actions/cache@v5‘s post-job save is not gated by permissions:. Cache scope is per-repo, shared across triggers.

PUBLIC RESEARCHGitHub Security Lab · Preventing pwn requests · years before attack

▲ Vuln 02

GitHub Actions cache poisoning across trust boundaries

BRIDGES: Base-repo cache → release runtime

Malicious payload writes to pnpm-store under key release.yml will compute and look up. Linux-pnpm-store-${hashFiles('**/pnpm-lock.yaml')} — exact match. actions/cache@v5 post-step saves poisoned store to that key. Restored entirely as designed when release.yml next runs on push to main.

PUBLIC RESEARCHAdnan Khan · The Monsters in Your Build Cache · May 2024 · 12 months prior

▲ Vuln 03

OIDC token extraction from runner memory

BRIDGES: Release runtime → npm publish

release.yml declares id-token: write for legitimate npm OIDC trusted publishing. Poisoned cache invokes attacker binaries: locate Runner.Worker via /proc/*/cmdline, dump memory via /proc//maps + /proc//mem, extract OIDC token, POST to registry.npmjs.org. Bypasses workflow’s Publish Packages step entirely.

PUBLIC RESEARCHStepSecurity · tj-actions/changed-files compromise · March 2025 · verbatim script reused

The attacker did not invent novel tradecraft. They recombined published research. Verbatim Python script — attribution comment preserved — from the March 2025 tj-actions disclosure. Every defensive research publication becomes attacker reference material within 12-24 months.

Forensic chronology · 28 hours from fork to detection

Software Supply Chain Defense: Securing Build Environments, Toolchains, and CI/CD Infrastructure Against Advanced Threats

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

May 10 17:16 fork. May 11 19:50 detection.

From the attacker creating a renamed fork (deliberately evading fork-list searches) through the cache poisoning phase, the detonation phase, and the rapid external detection by Ashish Kurmi at StepSecurity. The TanStack postmortem published the complete root cause analysis publicly within hours.

Verified forensic timeline · May 10-11, 2026 (UTC)

All times UTC. Cross-referenced from TanStack postmortem (Tanner Linsley), StepSecurity analysis (Ashish Kurmi), Socket research, and the GitHub Security Advisory GHSA-g7cv-rxg3-hmpx.

May 10 17:16Setup

Attacker creates renamed fork to evade fork-list searches

github.com/zblgg/configuration — fork of TanStack/router deliberately renamed. Defender enumerating forks of TanStack/router by name would not surface this. Operational tradecraft — not novel, but deliberate.

SETUP
PHASE

May 10 23:29Malicious commit

Forged “claude” commit lands · fabricated identity

Commit 65bf499d authored by fabricated identity claude (NOT real Anthropic Claude). [skip ci] prefix suppresses CI on push. Adds packages/history/vite_setup.mjs — ~30,000-line bundled JS payload.

POISON
PREP

May 11 10:49PR opens

PR #7378 opens · pull_request_target auto-runs

“WIP: simplify history build” opened by zblgg. bundle-size.yml + labeler.yml auto-run via pull_request_target. No first-time-contributor approval — pull_request_target bypasses that gate. pr.yml blocked.

VULN 01
TRIGGER

May 11 11:11Force-push

Malicious commit lands on PR head · bundle-size.yml executes payload

11:11 force-push lands 65bf499d on PR head. bundle-size.yml’s benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build. Executes fork-controlled vite_setup.mjs.

PAYLOAD
EXEC

May 11 11:29Cache poisoned

Cache entry saved · poison persists across runs

Cache Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved for TanStack/router, scoped to refs/heads/main. Keyed to match what release.yml will compute on next push.

VULN 02
ACTIVE

May 11 11:31Cleanup

Attacker covers tracks · PR appears clean

Force-push reverts PR to current main HEAD (b1c061af). Visible PR diff is 0-file no-op. PR closed and branch deleted in same minute. Cache poison persists. PR appears benign in retrospective review.

EVASION

May 11 19:20:39Detonation

First publish wave · OIDC minted in memory

Manuel merges PR #7369 → release.yml runs (run 25613093674). Poisoned cache restored. Malware locates Runner.Worker via /proc/*/cmdline, dumps memory, extracts OIDC token, POSTs to registry.npmjs.org. Bypasses defined Publish Packages step entirely.

VULN 03
EXEC

May 11 19:26:14Second wave

Second publish wave · same OIDC mechanism

Manuel merges PR #7382 → release.yml runs again (run 25691781302). Same poisoned cache. Second-version-per-package set published — @tanstack/history@1.161.12 etc. Six minutes between the two publish waves. Workflow status: failure (tests broke; publish still happened).

FULL
BLAST

May 11 19:50Detection

Ashish Kurmi opens issue #7383 · complete IOC fingerprint

StepSecurity researcher Ashish Kurmi opens TanStack/router#7383 with full technical writeup. Socket flagged every malicious version within 6 minutes of publication. External detection community had IOC pattern within minutes. Tanner Linsley receives phone call from Socket.dev.

EXTERNAL
DETECTION

May 11 20:00-21:30Response

Incident response · scope confirmed, hardening shipped same day

War room activated. Manuel removes team push permissions. Tanner emails security@npmjs.com. Comprehensive scan confirms 42 packages, 84 versions. Hardening PR merged same day: bundle-size.yml restructured, repository_owner guards added, third-party action refs pinned to SHAs. GHSA published, CVE requested.

IR
COMPLETE

The broader campaign · TanStack as one node

Amazon

npm package vulnerability scanner

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

160+ packages. One worm. Same threat actor.

The TanStack compromise is one node in the broader Mini Shai-Hulud campaign by threat group TeamPCP — the same actor behind LiteLLM PyPI (March 2026), Bitwarden CLI npm, SAP CAP npm, and Lightning PyPI (April 30, 2026). Self-propagating worm pattern. First documented npm worm with valid SLSA Build Level 3 attestations.

Mini Shai-Hulud campaign · operational continuity

Same threat actor (TeamPCP / UNC6780) iterating on the same playbook across multiple package ecosystems. Self-propagation via maintainer search + OIDC trusted-publishing abuse.

160+

Packages compromised
May 2026 wave

12M+

@tanstack/react-router
weekly downloads

361K

intercom-client weekly
compromised May 12

29hr

Worm propagation
fork → detection

▲ Current victim organizations · May 2026 wave

TanStack · UiPath · Squawk · Mistral AI · DraftLab · Intercom-client — packages from completely separate maintainer organizations propagated through the worm’s maintainer-search mechanism: registry.npmjs.org/-/v1/search?text=maintainer: → republish with same injection. Active operational campaign as of May 12, 2026.

▲ TeamPCP operational history · prior compromises in same playbook

LiteLLM PyPI · March 24, 2026 · versions 1.82.7 + 1.82.8 · SANDCLOCK credential stealer in 3.4M daily downloads

Bitwarden CLI npm · earlier 2026 · same playbook

SAP CAP npm · earlier 2026 · enterprise blast radius

Lightning PyPI · April 30, 2026 · versions 2.6.2 + 2.6.3

▲ The SLSA Build Level 3 problem · structural defensive breakage

First documented npm worm that produces validly-attested malicious packages. Attacker used stolen OIDC tokens with the legitimate Sigstore stack to produce valid Build L3 attestations. npm audit signatures passes for the malicious TanStack versions. Provenance attestations alone do not validate package safety — defense-in-depth applies.

Indicators of compromise · defender hunt references

DevOps with GitHub Actions: A Practical Guide to Building Secure, Scalable, and Production-Ready CI/CD Automation Pipelines

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

IOCs · copy-pasteable for hunting queries.

The TanStack postmortem published comprehensive IOCs. Defenders should hunt for these across their environments. The attacker forged a “claude” identity using claude@users.noreply.github.com — not the real Anthropic Claude Code GitHub App. This identity-confusion tactic deserves specific attention in git-log audits.

Verified IOCs · TanStack-published indicators of compromise

Hunt these across npm dependency manifests, GitHub Actions cache, runtime exfiltration logs, and git commit history. Audit ~/.claude/ and .vscode/ for persistence hooks.

▲ OPTIONAL DEPENDENCY INJECTION · IN PACKAGE.JSON

Malicious optionalDependencies entry · resolves to fork payload

“@tanstack/setup”: “github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c”

Orphan commit lives in attacker fork’s git object store · reachable via TanStack/router URL. prepare lifecycle hook executes bun run tanstack_runner.js && exit 1 on install — payload runs, then optional dep “fails” gracefully.

▲ POISONED CACHE KEY · GITHUB ACTIONS

GitHub Actions cache · 1.1 GB poisoned pnpm store

Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11

Scoped to TanStack/router refs/heads/main. Saved by attacker workflow, restored by legitimate release.yml. File: router_init.js (~2.3 MB, package root, not in files array). Also: tanstack_runner.js per Socket analysis.

▲ EXFILTRATION NETWORK · SESSION PROTOCOL

Session/Oxen messenger exfil · E2E encrypted, no C2 to block

filev2.getsession.org · seed1.getsession.org · seed2.getsession.org · seed3.getsession.org

End-to-end encrypted Session Protocol exfil — no attacker-controlled C2. Blocking by IP/domain is the only network mitigation. 2nd-stage payloads: https://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs. Secondary exfil via legitimate-looking GitHub GraphQL API traffic.

▲ FORGED IDENTITY · NOT REAL ANTHROPIC CLAUDE

Fabricated “claude” commit author · git-log search recommended

claude

Not the real Anthropic Claude Code GitHub App. Fabricated GitHub no-reply identity exploiting display-name confusion. Recommended search: git log --all --author=claude@users.noreply.github.com across all repos. Force-push revert if found.

▲ PERSISTENCE HOOKS · SURVIVES REBOOTS

Persistence in ~/.claude/ and .vscode/tasks.json

router_runtime.js · setup.mjs · settings.json hooks · tasks.json entries

Attacker accounts: zblgg (id 127806521) · voicproducoes (id 269549300 · account created 2026-03-19 — fresh account, public repos named “A Mini Shai-Hulud has Appeared”). Attacker fork: github.com/zblgg/configuration (renamed). Workflow runs: 25613093674 · 25691781302.

Defensive priorities · three audiences

Klein Tools 80093 Cable Tester, VDV LAN Kit with LAN Tester, Pass Thru Crimper, CAT6/CAT5e Plugs and Strain Relief Boots, 5-Piece

SMART BUY: A complete, high-performance kit that offers convenience and value

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Installed it? Rotate. Maintain packages? Audit.

Three response tracks. If you installed an affected version on May 11: treat your host as compromised. If you maintain OSS with similar workflow patterns: audit pull_request_target immediately. If you consume the npm ecosystem at enterprise scale: deploy install-time monitoring and lockfile pinning.

Three-audience defensive response · prioritized actions

Recovery (rotate everything) · prevention (audit + harden) · monitoring (install-time scanning + lockfile pinning).

▲ IF YOU INSTALLED MAY 11

Rotate everything. Treat host as compromised.

• Rotate AWS, GCP, Azure, Kubernetes service-account tokens, Vault tokens, npm ~/.npmrc, GitHub tokens, SSH private keys
• Review GitHub Actions runs after 2026-05-11T19:20Z for unexpected npm publish events
• Check outbound connections to filev2.getsession.org · seed*.getsession.org
• Check downstream propagation — if your packages were published during a CI run that installed compromised version, those may also be compromised
• Audit ~/.claude/ + .vscode/tasks.json · remove router_runtime.js, setup.mjs
• git log --all --author=claude@users.noreply.github.com · revert if found
• Run npm token list · revoke unrecognized tokens

▲ IF YOU MAINTAIN OSS

Audit pull_request_target. Pin SHAs.

• Audit pull_request_target workflows immediately · never check out fork-submitted code without explicit approval gates
• Pin third-party action refs to commit SHAs · actions/checkout@8e5e7e5ab8... not @v6
• Separate cache scopes for trusted vs untrusted contexts · explicit restore-keys and key patterns
• Consider moving from OIDC trusted publisher to short-lived classic tokens with manual review
• Add internal alerting on npm publishes · fire on any publish that doesn’t originate from expected workflow step
• Audit other repos for the same bundle-size.yml-style pattern
• Restrict id-token: write to only the publish step that needs it

▲ IF YOU CONSUME NPM AT SCALE

Install-time scanning. Lockfile pinning.

• Deploy npm package monitoring at install time · Socket / StepSecurity / Snyk · Socket flagged TanStack in 6 minutes
• Lockfile-pinned dependencies don’t auto-pull new versions · only consumers installing during the publish window were affected
• Audit lockfiles for github: URL optionalDependencies · unusual for production deps, exact pattern used here
• CI/CD secret rotation automation · 30-90 day schedule regardless of incident status
• Treat provenance attestations as one layer, not sole verification · Mini Shai-Hulud produces valid Build L3 attestations on malicious packages
• Establish IR playbooks for OSS supply-chain compromise scenarios

Three pieces of public security research. Twelve months between the latest and the attack. Zero novel attacker tradecraft. A competent maintainer team with 2FA and OIDC trusted publishing — compromised through a chain that no individual vulnerability in their stack would have enabled. The composition is the attack surface.

— Software security · the TanStack forensic case study · Part 7 · May 2026

Impact of Public Research on Supply-Chain Attacks

This incident demonstrates that publicly documented vulnerabilities, if chained together, can be exploited rapidly and effectively, often outpacing the deployment of mitigations. It highlights the need for the open-source ecosystem and enterprises to treat published research as operationally weaponized tradecraft, increasing the urgency for proactive defenses and review processes.

Broader Trends in 2026 Supply-Chain Attacks

The TanStack compromise is part of a broader wave of supply-chain incidents in 2026, with over 160 packages affected in campaigns like Mini Shai-Hulud. The attack leverages publicly available research from GitHub Security Lab, Adnan Khan, and StepSecurity, illustrating how attacker tradecraft increasingly compresses research-to-exploit timelines. The same day as the Google Threat Intelligence Group disclosed an AI-built zero-day, the TanStack attack exemplifies the escalation of publicly known vulnerabilities into operationalized exploits, driven by AI-assisted attack composition.

“The TanStack incident exemplifies how publicly documented vulnerabilities, when chained, form a potent attack surface that adversaries can exploit faster than defenders can respond.”

— Thorsten Meyer, researcher

Unanswered Questions About the Attack Chain

It remains unclear how widespread the impact was beyond the 42 affected packages, and whether additional malicious commits exist in other repositories. The full extent of the exfiltrated credentials and whether the attacker maintained persistent access are still under investigation. Details about the exact modifications to the package workflows and the potential for similar chained vulnerabilities in other projects are also not yet confirmed.

Future Mitigation and Industry Response Strategies

Security teams are expected to prioritize patching and monitoring for the three vulnerabilities involved, especially in open-source package workflows. Developers will need to adopt stricter code review practices for pull requests crossing trust boundaries and enhance detection of malicious commits. Industry-wide, there is likely to be increased emphasis on supply-chain security audits, automated detection of chained vulnerabilities, and revision of trust models in CI/CD pipelines. Further investigations into the attack’s scope and the development of targeted mitigations are anticipated in the coming weeks.

Key Questions

What are the three vulnerabilities exploited in the TanStack attack?

The attack exploited the pull_request_target “Pwn Request” pattern, cache poisoning across fork-base trust boundaries, and OIDC token extraction from GitHub Actions runners. All three vulnerabilities had been publicly documented prior to the attack.

How quickly did the attacker execute the attack?

The entire chain of malicious activity was completed within approximately six minutes, highlighting the rapidity with which known vulnerabilities can be weaponized.

Did the attack involve stealing npm tokens or compromising the publish process?

No, the attacker did not steal npm tokens or directly compromise the publish process. Instead, they exfiltrated credentials via a trusted session protocol, bypassing traditional token theft detection.

What lessons can open-source maintainers learn from this incident?

Maintainers should treat publicly documented vulnerabilities as operational threats, implement stricter code review for trust boundary crossings, and monitor for chained vulnerabilities that can be exploited collectively.

Is this type of attack preventable?

While no system can be entirely immune, adopting comprehensive security practices—such as minimizing trust boundaries, improving detection of malicious commits, and applying timely patches—can significantly reduce risk.

Source: ThorstenMeyerAI.com