A team of attackers published 84 poisoned versions of TanStack packages—libraries downloaded 12.7 million times weekly by React developers—in a six-minute window on May 11 by hijacking the project's GitHub Actions workflow and extracting the authentication tokens npm accepted as proof of legitimate ownership.

The attack, now tracked as CVE-2026-45321 with a CVSS score of 9.6, is the first documented supply-chain compromise to ship malicious code bearing valid cryptographic provenance attestations—the digital signatures registries use to verify a package's publisher. OpenAI disclosed May 13 that two employee devices were infected before npm pulled the packages down; the company is now rotating macOS certificates by June 12.

The technique bypassed every layer meant to stop supply-chain attacks—code review, permissions checks, and cryptographic signing—because the credentials the attackers stole were real.

A Three-Stage Chain

StepSecurity researcher ashishkurmi detected the uploads within 20 minutes of the first publish at 19:20 UTC, but the attack had already threaded three exploits into a working chain.

The attackers forked TanStack's repository and submitted a pull request carrying hidden binaries. They prefixed the commit message with [skip ci] to dodge automated scans and authored it under the name "claude " to impersonate Anthropic's GitHub App.

TanStack's `bundle-size.yml` workflow ran with `pull_request_target` permissions, which let the fork's code execute in the main repository's security context. The malicious PR triggered a build that wrote attacker-controlled files into the GitHub Actions cache—a temporary storage layer that doesn't enforce workflow permission boundaries.

Hours later, when TanStack's legitimate release.yml workflow ran to publish new package versions, it restored the poisoned cache. Attacker binaries extracted the OIDC token GitHub had issued to authenticate npm publishes directly from runner memory and used it to ship 84 package versions across 42 @tanstack/* libraries between 19:20 and 19:26 UTC.

"The malicious packages were published using TanStack's legitimate OIDC identity," the project wrote in its May 12 postmortem. "This meant they carried valid provenance attestations that npm's registry accepted as authentic."

TeamPCP's Expanding Campaign

The threat group behind the attack operates under the name TeamPCP and is tracked by Orca Security as DeadCatx3, PCPcat, ShellForce, and CipherForce. Palo Alto Networks' Unit 42 documented the group's partnership with the Vect ransomware operation.

TeamPCP has claimed credit for a multi-month campaign targeting language ecosystems. According to OSSF's malicious packages database, the group compromised packages in the Mistral AI SDK in early May. Security vendors documented earlier TeamPCP activity against other high-profile targets, though exact package counts remain under review by threat intelligence teams.

One day after the TanStack incident, vx-underground reported on social media that the group had open-sourced the Shai-Hulud toolchain—the automated workflow for cache poisoning and OIDC token extraction. The publication means any attacker with access to the code can now replicate the technique against misconfigured CI/CD pipelines.

Mistral AI confirmed a single developer device was compromised through a TanStack-adjacent attack vector, though the company said no customer data was exposed.

npm's Staged Publishing Response

npm shipped a direct countermeasure on May 25 with version 11.15.0, which introduced staged publishing. New package versions now enter a quarantine state and require explicit approval from a maintainer with two-factor authentication before going live—eliminating the instant-publish window the attackers exploited.

TanStack rewrote its workflows on May 13 to separate build permissions from publishing permissions and now pins all GitHub Actions dependencies to commit hashes instead of version tags, blocking the cache-substitution vector.

But the OIDC trust model itself remains a subject of debate among infrastructure security researchers. GitHub Actions issues short-lived tokens that registries like npm accept as cryptographic proof of a publisher's identity. Those tokens live in runner memory during workflow execution, and CVE-2026-45321 documents that attackers with code execution in the same environment can extract them.

CISA issued advisories in September 2025 and March 2025 documenting similar OIDC token-theft campaigns that targeted tj-actions/changed-files and other workflow libraries—establishing the technique as a recurring pattern, not an isolated incident.

The open question is whether GitHub will add token-scoping controls that let maintainers restrict OIDC claims to specific workflow files, or whether registries like npm will expand mandatory human approval to all packages above a download threshold. OpenAI's June 12 certificate rotation deadline is two weeks out, and the industry has yet to settle on which layer of the stack should harden first.