VDB

GCVE-110-OSM-2026-3952

GCVE-110-OSM-2026-3952
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 11, 2026
Compromised versions of `@tanstack/router-ssr-query-core` (1.168.3, 1.168.6) published via stolen OIDC publishing token as part of the Mini Shai-Hulud supply-chain attack against TanStack (May 2026). The attacker exploited an orphaned commit to gain access to the workflow run that stores the OIDC token, bypassing 2FA-protected publishing. Each version contains a multi-stage implant that harvests cloud/CI credentials (GitHub, AWS, Kubernetes, Vault), republishes infected packages via OIDC federation (npm worm), and exfiltrates over Session P2P messaging infrastructure. === STAGE 1: router_init.js (~2.3 MB obfuscated) === Injected into: node_modules/@tanstack/router-ssr-query-core/router_init.js SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c Behavior: javascript-obfuscator pattern (string-array rotation, hex lookups, control-flow flattening). Daemonized child process with stdio suppressed and unref() to mask parent exit. Harvests GitHub Actions secrets (GITHUB_*, ACTIONS_ID_TOKEN_REQUEST_TOKEN/URL), AWS credentials via IMDSv2 (169.254.169.254) + ECS metadata (169.254.170.2) + Secrets Manager + SSM Parameter Store, Kubernetes service-account tokens, and HashiCorp Vault tokens (vault.svc.cluster.local:8200, 127.0.0.1:8200). === STAGE 2: tanstack_runner.js (npm worm propagation) === SHA256: 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 Acquires npm OIDC JWT via ACTIONS_ID_TOKEN_REQUEST_URL, exchanges for publish token via OIDC federation, bundles implant into .tgz/.tar.zst, republishes packages under latest dist-tag with stolen maintainer identity AND submits Sigstore provenance attestation as deceptive trust signal. Injects malicious optionalDependencies entry pointing to github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c, whose `prepare` lifecycle hook executes `bun run tanstack_runner.js && exit 1` to ensure infection on git-dependency installs. === STAGE 3: Repository Poisoning === GitHub GraphQL createCommitOnBranch mutation injects payloads into: .github/workflows/ (Actions workflow injection) .claude/router_runtime.js, .claude/settings.json, .claude/setup.mjs (Claude Code hook persistence) .vscode/setup.mjs, .vscode/tasks.json (VS Code task hijack) Commits spoofed as claude@users.noreply.github.com. === EXFILTRATION === Routes harvested credentials through Session P2P network (filev2.getsession.org/file/) using signalservice Protocol Buffers (Envelope, Content, DataMessage, WebSocketMessage, SharedConfigMessage). Traffic appears as encrypted messaging, not traditional HTTP C2. Compromised versions of @tanstack/router-ssr-query-core: 1.168.3, 1.168.6

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@tanstack/router-ssr-query-coreall (affected)

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›