GitHub Actions cache poisoning let 84 hacked TanStack npm releases ship
GitHub Actions cache poisoning let 84 hacked TanStack npm releases ship
AI Sec News Weekly #9 — 331 sources scanned
We keep underestimating state. Not the stored secrets we guard, but the husks our systems leave behind: caches, layers, warmed containers. They look like performance hacks, yet they're really decision engines with privileges. Nudge their memory and they'll calmly recompute a different future.
This week's CI scare reminds us that "fast" and "trusted" often share a roof. Cache invalidation is famously hard; add privileges and it turns into identity creation. A handy model: any writable cache on a build path is a deploy key in disguise. How many of those are we carrying? The evidence just below is hard to forget.
This Week's Stories
Mini Shai‑Hulud hits TanStack, Mistral, Guardrails with CI‑borne stealer
TeamPCP’s “Mini Shai‑Hulud” hit npm/PyPI for TanStack, Mistral AI, OpenSearch, Guardrails. TanStack’s CVE‑2026‑45321 (CVSS 9.6) spanned 42 packages/84 versions after a chained GitHub Actions abuse (pull_request_target, cache poisoning) yanked an OIDC token from runner memory. The router_init.js stealer fingerprints hosts, persists in Claude Code/VS Code, exfiltrates to filev2.getsession[.]org, with GitHub GraphQL commits as fallback. It also plants Actions that dump secrets to api.masscan[.]cloud.
Why it matters: Release provenance can be forged end‑to‑end, turning routine installs and IDE sessions into long‑lived exfil channels.
TanStack attack used cache poisoning to ship 84 toxic npm releases
An attacker pushed 84 malicious TanStack npm releases in a six‑minute window on May 11, detected within 30 minutes and later acknowledged by GitHub. A poisoned Actions cache let the payload build and extract an npm OIDC token; maintainers weren’t popped. The stealer trawls 100+ sensitive paths and installs a “dead‑man’s switch” that wipes disks if revoked GitHub tokens are detected. GitHub’s advisory classed environments that installed affected versions that day as compromised.
Why it matters: Letting ephemeral build artifacts stand in for trust makes release auth brittle enough for six‑minute mass poisoning.
Snyk Blog by Stephen Thoemmes
node‑ipc npm hijacked: three releases shipped DNS‑based credential exfiltration
Hackers slipped infostealers into node‑ipc@9.1.6, 9.2.3, and 12.0.1, running from node‑ipc.cjs on load. Using a hijacked maintainer account (“atiertant”), the malware fingerprints hosts, scoops cloud/CI creds, SSH keys, .envs, keychains, and more, then exfiltrates via DNS TXT. Traffic bootstraps off sh.azurestaticprovider[.]net and streams to bt.node.js with xh/xd/xf prefixes. No persistence or second stage observed; the aim is rapid credential theft.
Why it matters: Egress tuned for web traffic misses this, letting one dependency update quietly vacuum cloud and CI secrets.
Snyk Blog by Brian Vermeer
Tool Spotlight
New repos and releases worth trying.
SafeHarbor: Memory-augmented guardrails that evolve with your agent
Beihang's SafeHarbor proposes a hierarchical memory guardrail for tool-using LLM agents, injecting context-aware defense rules dynamically and evolving them via an entropy-based split/merge mechanism. It targets the over-refusal tradeoff and is training-free and plug-and-play, with an open GitHub repo. Reported results: GPT-4o kept 63.6% benign utility while refusing over 93% of harmful requests.
Why it matters: Turning safety into a structured, evolving memory makes refusal tuning less of a blunt dial and more of a per-tool policy.
gosentry: LibAFL-powered fuzzing as a drop-in Go toolchain
Trail of Bits forked the Go toolchain into gosentry, keeping testing.F and go test -fuzz while swapping in a LibAFL engine. It adds struct-aware fuzzing, Nautilus grammar fuzzing, and detectors for integer overflows, goroutine leaks, data races, and timeouts. Existing harnesses run unchanged; campaigns persist in Go's fuzz cache and can emit one-command coverage reports.
Why it matters: Go shops get modern fuzz primitives without harness churn, closing a long-standing testing disadvantage for Go-heavy services and ML infra.
Trail of Bits by Kevin Valerio
Roam 13.1: Local code graph and gates for coding agents
roam-code 13.1 (PyPI; 13.2 now available) builds a local SQLite-backed code graph and exposes it via 238 CLI commands, 224 MCP tools (57 core), and an LSP across 28 language families. It runs entirely on your machine (Apache-2.0) and doubles as an assurance layer: change preflight, CI gates, SARIF, and tamper-evident evidence. Concrete win: repo-wide stale link fixes after a docs rename in one pass.
Why it matters: Agents finally get the missing map of the code plus an audit trail, so AI-authored patches move from hunches to accountable, reviewable change.
Community Chatter
What practitioners are debating.
Are AI Tools Inflating CVE Counts? VulnCheck Says the Wave Is Here
VulnCheck claims AI‑assisted code review is reshaping disclosure, pointing to recent spikes and clusters of similar bugs landing in batches. In the Lobsters thread, skeptics question attribution, citing new CNAs and policy changes at issuers; backers say LLM‑guided auditing and fuzzer scaffolding are already standard on bounty teams.
Why it matters: When discovery scales but prioritization doesn’t, exploitable signal gets buried while attackers cherry‑pick the easiest wins.
Schneier Questions Anthropic’s Mythos Hype as Others Match Results
Anthropic withheld Claude Mythos Preview, saying it’s too good at finding software vulnerabilities; Schneier notes the UK AI Security Institute rated GPT‑5.5 comparable and Aisle reproduced results with smaller, cheaper models. He also cites Mozilla using Mythos to uncover 271 Firefox issues, arguing attackers and defenders will both automate discovery.
Why it matters: Gated releases don’t blunt offense when others can match the capability; the real leverage is shrinking the exploit‑to‑patch interval.
Schneier on Security by Bruce Schneier
‘Purple Teaming’ Debate: Metrics Show Hours, Op‑Ed Says Seconds
A THN op‑ed says most “purple teams” are just red and blue sharing a room, not a tight loop, blaming human handoffs for blown response. It claims time‑to‑exploit fell from 56 days (2024) to 23 days (2025) to roughly 10 hours across 3,532 CVE–exploit pairs; practitioners dispute methods and sampling, but few deny attacker automation is outrunning SOC workflows.
Why it matters: The bottleneck has moved from detection fidelity to the messy glue work between tools, tickets, and teams.
Quick Hits
- OpenAI rotates app certs after TanStack breach (The Register Security) — OpenAI rotates ChatGPT Desktop, Codex, and Atlas signing certs after TanStack npm breach compromised two staff devices and siphoned internal credentials.
- Shai-Hulud worm source released by TeamPCP (SecurityWeek) — TeamPCP published Shai-Hulud worm source and launched a 'supply chain challenge,' inviting copycats to weaponize npm and GitHub poisoning tools.
- Claude Code deeplink bug enables remote code execution (0day.click) — Researcher shows Claude Code remote code execution via deeplink handlers and settings injection, triggered by crafted links.
- OWASP releases Top 10 risks for Agentic AI (Bluesky (@graylog.bsky.social)) — OWASP released a Top 10 for Agentic AI risks covering common agent failures beyond prompt injection.