TanStack npm Supply Chain Worm Compromises 160+ Packages via GitHub Actions OIDC Token Theft
Tags AI · Infrastructure · OSS
On May 11, 2026, threat group TeamPCP exploited a chain of GitHub Actions vulnerabilities — pull_request_target misconfiguration, cache poisoning across the fork-to-base boundary, and runtime OIDC token extraction from runner memory — to publish 373 malicious package versions across 169 npm and 2 PyPI packages including @tanstack, @mistralai, and @uipath namespaces. The self-propagating worm, dubbed Mini Shai-Hulud, steals GitHub tokens, npm tokens, cloud credentials, SSH keys, and includes a wiper daemon that executes rm -rf ~/ if a token is revoked. CVE-2026-45321 (CVSS 9.6) was assigned. This is the first npm supply chain attack producing valid SLSA Build Level 3 provenance attestations for malicious packages. The @tanstack/react-router alone receives 12.7M+ weekly downloads. Users must audit lockfiles, rotate all credentials from affected machines, and remove the persistence daemon at ~/Library/LaunchAgents/com.user.gh-token-monitor.plist (macOS) or ~/.config/systemd/user/gh-token-monitor.service (Linux).
Technical significance
This attack demonstrates that CI/CD supply chain compromises can now produce packages with valid cryptographic provenance attestations, undermining trust in SLSA/Sigstore-based verification. The worm-like propagation model means every compromised developer machine becomes a new attack vector. Organizations must treat CI/CD pipeline secrets with the same rigor as production credentials and implement runtime memory protection for OIDC tokens in GitHub Actions runners.