VDB
GCVE-110-OSM-2026-3997
GCVE-110-OSM-2026-3997
Advisory PublishedCVSS 9.6/10
Compromised versions of `@uipath/ap-chat` (1.5.7) part of the Mini Shai-Hulud npm supply-chain worm (May 2026). Originating from the TanStack package compromise, the worm self-propagates by stealing OIDC publishing tokens during legitimate CI runs and republishing infected packages with valid Sigstore provenance. The implant harvests GitHub Actions secrets, AWS/Kubernetes/Vault credentials, and exfiltrates over the Session P2P messaging network.
=== STAGE 1: router_init.js (~2.3 MB obfuscated) ===
Injected into: node_modules/@uipath/ap-chat/router_init.js
SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
Behavior: javascript-obfuscator pattern (string-array rotation, hex lookups, control-flow flattening). Daemonized child process with stdio suppressed and unref() to mask parent exit. Harvests GitHub Actions secrets (GITHUB_*, ACTIONS_ID_TOKEN_REQUEST_TOKEN/URL), AWS credentials via IMDSv2 (169.254.169.254) + ECS metadata (169.254.170.2) + Secrets Manager + SSM Parameter Store, Kubernetes service-account tokens, and HashiCorp Vault tokens (vault.svc.cluster.local:8200, 127.0.0.1:8200).
=== STAGE 2: tanstack_runner.js (npm worm propagation) ===
SHA256: 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
Acquires npm OIDC JWT via ACTIONS_ID_TOKEN_REQUEST_URL, exchanges for publish token via OIDC federation, bundles implant into .tgz/.tar.zst, republishes packages under latest dist-tag with stolen maintainer identity AND submits Sigstore provenance attestation as deceptive trust signal. Injects malicious optionalDependencies entry pointing to github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c whose `prepare` lifecycle hook executes `bun run tanstack_runner.js && exit 1` to ensure infection on git-dependency installs.
=== STAGE 3: Repository Poisoning ===
GitHub GraphQL createCommitOnBranch mutation injects payloads into:
.github/workflows/ (Actions workflow injection)
.claude/router_runtime.js, .claude/settings.json, .claude/setup.mjs (Claude Code hook persistence)
.vscode/setup.mjs, .vscode/tasks.json (VS Code task hijack)
Commits spoofed as claude@users.noreply.github.com.
=== EXFILTRATION ===
Routes harvested credentials through Session P2P network (filev2.getsession.org/file/) using signalservice Protocol Buffers. Traffic appears as encrypted messaging, not traditional HTTP C2.
Compromised versions of @uipath/ap-chat: 1.5.7
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @uipath/ap-chat | all (affected) | — |
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.