VDB

GCVE-110-OSM-2026-630

GCVE-110-OSM-2026-630
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 11, 2026
Attacker-controlled GitHub account used to stage the Mini Shai-Hulud supply-chain attack against TanStack and downstream npm packages. Publicly visible 'A Mini Shai-Hulud has Appeared' branding suggests campaign signaling. Attacker-controlled GitHub account observed staging the Mini Shai-Hulud supply-chain attack against TanStack and downstream npm namespaces. Public repositories on this account include "A Mini Shai-Hulud has Appeared" branding, suggesting attribution claim or campaign signaling. Role in attack: - Stages malicious payloads (router_init.js, tanstack_runner.js) - Hosts orphaned commit referenced by malicious optionalDependencies - Used as the publishing identity for poisoned npm releases via stolen OIDC tokens Associated SHA256 file hashes: - ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c (router_init.js) - 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 (tanstack_runner.js) Spoofs commits as claude@users.noreply.github.com to disguise injections in downstream repositories.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncit-playwright-testsall (affected), all (affected), all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), all (affected)
unknown@emilgroup/document-sdk-node* (affected), all (affected)
unknownvision-service-python-client-internalall (affected), all (affected), * (affected), * (affected)
unknownall (affected)

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›