Lead Story | CRITICAL — CVSS 9.6 | Dev · Cloud+DevOps |
|
Mini Shai-Hulud Returns: TeamPCP Compromises 169 npm Packages Including @tanstack Via GitHub Actions OIDC Bypass
TeamPCP’s worm published 84 malicious @tanstack package versions in a six-minute window on May 11, using hijacked GitHub Actions OIDC tokens to produce validly signed npm tarballs that passed SLSA Build Level 3 verification. The campaign spread to Mistral AI, Guardrails AI, UiPath, and others — 169 packages total. Any CI/CD pipeline that consumed @tanstack packages after 19:20 UTC on May 11 requires immediate credential rotation.
Any CI/CD pipeline that consumed @tanstack packages on May 11 after 19:20 UTC should be treated as compromised until secrets are rotated. TeamPCP’s Mini Shai-Hulud resurfaced that evening, publishing 84 malicious versions across 42 @tanstack packages before spreading to Mistral AI, Guardrails AI, and UiPath — 169 packages total. Stolen credentials include GitHub tokens, npm publish tokens, and AWS access keys. The malicious packages carried valid SLSA Build Level 3 provenance attestations, bypassing automated supply chain verification.
The attack chain: a malicious fork PR poisoned the project’s pnpm cache via pull_request_target; a release run restored it; attacker code extracted the runner’s OIDC token from process memory and published to npm under the project’s own identity. Block C2 at DNS: api.masscan.cloud, git-tanstack.com, *.getsession.org. Rotate secrets for any pipeline that installed @tanstack packages after 19:20 UTC on May 11. Update to clean versions now. (Hardened covered the prior Mini Shai-Hulud wave in the May 4 flagship.) Wiz → StepSecurity → TanStack Postmortem →
→ Key Takeaway Treat any CI/CD pipeline that pulled @tanstack packages after 19:20 UTC on May 11 as compromised until all secrets are rotated. Block the campaign’s C2 domains — api.masscan.cloud, git-tanstack.com, and *.getsession.org — at DNS or proxy. Update to the latest clean @tanstack versions and audit GitHub Actions workflows for pull_request_target permissions before the next merge. |
Quick Hits
| 01 |
CVE-2026-0300: PAN-OS Patches Begin Rolling Out Today — Apply Before Your Version Window Closes
Palo Alto Networks began releasing patches today for CVE-2026-0300, the actively exploited unauthenticated buffer overflow in PAN-OS that grants root RCE on internet-facing PA-Series and VM-Series firewalls. CISA confirmed exploitation on May 6; Unit 42 attributes observed attacks to CL-STA-1132, a likely state-sponsored cluster; the full patch rollout runs to May 28. Apply the available update to any internet-facing PAN-OS firewall now, and disable the User-ID Authentication Portal as an interim measure on any version that does not yet have a patch. Palo Alto →
| High — CVSS 9.3 | Cloud+DevOps · Enterprise |
|
CVE Watch
|
Patch of the Day
| CVE-2026-45321 | CVSS 9.6 (Critical) |
Mini Shai-Hulud — @tanstack npm Supply Chain Compromise via GitHub Actions OIDC Token Extraction
The underlying weakness is an overly permissive pull_request_target workflow configuration combined with no cache isolation between fork and base repository contexts. A contributor with the ability to open a pull request can inject malicious build artefacts into a shared pnpm cache; a subsequent privileged release workflow restores and executes them, exposing OIDC tokens, signing credentials, and package registry publish tokens. The malicious packages resulting from this attack carried valid SLSA Build Level 3 provenance attestations — standard artefact verification did not flag them. Researcher ashishkurmi (StepSecurity) detected the campaign within 20 minutes of the first malicious publish. Clean package versions are now available across the @tanstack ecosystem.
| Vendor: npm / GitHub Actions (@tanstack ecosystem) · Discovered: May 11, 2026 · CISA KEV: Not listed at time of writing · Exploited: Confirmed — 84 malicious versions published, CI/CD secrets exfiltrated (TeamPCP) |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — Protect (PR) — PR.PS-06 — Platform Security: Secure Software Development Practices
Your CI/CD Pipeline Is a Trust Boundary — Govern It Like One
The Mini Shai-Hulud campaign exploited a well-documented GitHub Actions misconfiguration — the pull_request_target trigger grants fork PRs access to base-repository secrets and caches, a boundary that requires explicit review and restriction. PR.PS-06 requires that secure software development practices are embedded across the full software development life cycle, which includes the build and release pipeline as a trust zone with defined access controls and least-privilege publishing credentials. Leadership ask: Confirm with your engineering lead that all CI/CD workflows restrict pull_request_target permissions, that third-party GitHub Actions are pinned to commit hashes rather than version tags, and that publish tokens are scoped to individual packages and rotated on a defined schedule — the attack succeeded where those controls were absent. GitHub Actions hardening →
|
|
