VDB

GCVE-110-OSM-2026-3997

GCVE-110-OSM-2026-3997
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 11, 2026
Compromised versions of `@uipath/ap-chat` (1.5.7) part of the Mini Shai-Hulud npm supply-chain worm (May 2026). Originating from the TanStack package compromise, the worm self-propagates by stealing OIDC publishing tokens during legitimate CI runs and republishing infected packages with valid Sigstore provenance. The implant harvests GitHub Actions secrets, AWS/Kubernetes/Vault credentials, and exfiltrates over the Session P2P messaging network. === STAGE 1: router_init.js (~2.3 MB obfuscated) === Injected into: node_modules/@uipath/ap-chat/router_init.js SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c Behavior: javascript-obfuscator pattern (string-array rotation, hex lookups, control-flow flattening). Daemonized child process with stdio suppressed and unref() to mask parent exit. Harvests GitHub Actions secrets (GITHUB_*, ACTIONS_ID_TOKEN_REQUEST_TOKEN/URL), AWS credentials via IMDSv2 (169.254.169.254) + ECS metadata (169.254.170.2) + Secrets Manager + SSM Parameter Store, Kubernetes service-account tokens, and HashiCorp Vault tokens (vault.svc.cluster.local:8200, 127.0.0.1:8200). === STAGE 2: tanstack_runner.js (npm worm propagation) === SHA256: 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 Acquires npm OIDC JWT via ACTIONS_ID_TOKEN_REQUEST_URL, exchanges for publish token via OIDC federation, bundles implant into .tgz/.tar.zst, republishes packages under latest dist-tag with stolen maintainer identity AND submits Sigstore provenance attestation as deceptive trust signal. Injects malicious optionalDependencies entry pointing to github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c whose `prepare` lifecycle hook executes `bun run tanstack_runner.js && exit 1` to ensure infection on git-dependency installs. === STAGE 3: Repository Poisoning === GitHub GraphQL createCommitOnBranch mutation injects payloads into: .github/workflows/ (Actions workflow injection) .claude/router_runtime.js, .claude/settings.json, .claude/setup.mjs (Claude Code hook persistence) .vscode/setup.mjs, .vscode/tasks.json (VS Code task hijack) Commits spoofed as claude@users.noreply.github.com. === EXFILTRATION === Routes harvested credentials through Session P2P network (filev2.getsession.org/file/) using signalservice Protocol Buffers. Traffic appears as encrypted messaging, not traditional HTTP C2. Compromised versions of @uipath/ap-chat: 1.5.7

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@uipath/ap-chatall (affected)

References

vendor

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›