VDB
GCVE-110-OSM-2026-630
GCVE-110-OSM-2026-630
Advisory PublishedCVSS 8.8/10
Attacker-controlled GitHub account used to stage the Mini Shai-Hulud supply-chain attack against TanStack and downstream npm packages. Publicly visible 'A Mini Shai-Hulud has Appeared' branding suggests campaign signaling.
Attacker-controlled GitHub account observed staging the Mini Shai-Hulud supply-chain attack against TanStack and downstream npm namespaces. Public repositories on this account include "A Mini Shai-Hulud has Appeared" branding, suggesting attribution claim or campaign signaling.
Role in attack:
- Stages malicious payloads (router_init.js, tanstack_runner.js)
- Hosts orphaned commit referenced by malicious optionalDependencies
- Used as the publishing identity for poisoned npm releases via stolen OIDC tokens
Associated SHA256 file hashes:
- ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js)
- 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 (tanstack_runner.js)
Spoofs commits as claude@users.noreply.github.com to disguise injections in downstream repositories.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cit-playwright-tests | all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | @emilgroup/document-sdk-node | * (affected), all (affected) | — |
| unknown | vision-service-python-client-internal | all (affected), all (affected), * (affected), * (affected) | — |
| unknown | all (affected) | — |
References
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.