Full Report
Shai-Hulud worm exploited GitHub Actions misconfiguration to poison shared cache, now project weighing nuclear option on unsolicited contributions
Analysis Summary
# Incident Report: Shai-Hulud Worm Supply Chain Attack on TanStack
## Executive Summary
The TanStack open-source project was targeted by a supply chain attack involving the "Shai-Hulud" worm, which exploited a misconfiguration in GitHub Actions (`pull_request_target`). The attackers successfully poisoned a shared build cache, potentially affecting the entire repository's CI/CD pipeline. In response, TanStack is considering "nuclear" security options, including moving to an invitation-only pull request model.
## Incident Details
- **Discovery Date:** May 2026 (Reported May 18, 2026)
- **Incident Date:** Week of May 11, 2026
- **Affected Organization:** TanStack
- **Sector:** Open Source Software / Software Development Tools
- **Geography:** Global / Distributed
## Timeline of Events
### Initial Access
- **Date/Time:** May 2026
- **Vector:** Malicious Pull Request (PR)
- **Details:** An external contributor submitted a PR that triggered an automatic workflow. Because TanStack used the `pull_request_target` trigger incorrectly, the malicious code was executed in the context of the base repository.
### Lateral Movement
- **Mechanism:** The worm extracted secrets from the GitHub Actions memory and utilized a shared cache. By poisoning the `pnpm` and GitHub Actions cache, the malicious code could persist and affect subsequent, legitimate builds within the repository.
### Data Exfiltration/Impact
- **Impact:** Compromise of the CI/CD pipeline environment. The worm sought to extract repository secrets and poison shared build artifacts/dependencies.
### Detection & Response
- **Detection:** Identified as a variant of the "Shai-Hulud" worm by the malware group "TeamPCP."
- **Response actions taken:** Immediate removal of vulnerable triggers, cache purging, and implementation of stricter dependency controls (pnpm `minimumReleaseAge`).
## Attack Methodology
- **Initial Access:** Exploitation of GitHub Actions `pull_request_target` workflow trigger.
- **Persistence:** Cache poisoning (injecting malicious code into the shared build cache used by `pnpm` and GitHub Actions).
- **Privilege Escalation:** Exploiting the elevated permissions associated with `pull_request_target` compared to the standard `pull_request` trigger.
- **Credential Access:** Memory scraping within the GitHub Action runner to extract secrets/tokens.
- **Lateral Movement:** "Silent bridging" between fork PRs and base-repo branches via the shared cache.
- **Impact:** Supply chain compromise via poisoned build artifacts.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with developer time for remediation and auditing.
- **Data Breach:** Extraction of CI/CD secrets/environment variables.
- **Operational:** Disruption of standard contribution workflows; temporary disabling of CI features (caching).
- **Reputational:** High; forced the project to reconsider the "open contribution" model fundamental to open source.
## Indicators of Compromise
- **Behavioral indicators:**
- Unexpected workflows triggered by external PRs.
- Unauthorized access to memory on GitHub Action runners.
- Modification of shared `pnpm` cache files by unverified code.
## Response Actions
- **Containment:** Removed all instances of `pull_request_target` from CI pipelines.
- **Eradication:** Disabled and cleared all GitHub Action and `pnpm` caches.
- **Recovery:**
- Switched 2FA from SMS to more secure methods.
- Pinned all GitHub Actions to specific commit SHAs.
- Implemented `minimumReleaseAge` in `pnpm` 11 to delay adoption of brand-new (potentially malicious) packages.
## Lessons Learned
- **Key takeaways:** The `pull_request_target` feature is highly dangerous if used to build or run untrusted code from PRs, as it grants the PR access to the base repository's secrets and write-permissions.
- **Systemic Issues:** GitHub's cache scoping does not sufficiently isolate fork-based PRs from base-repo branches, allowing for cross-pollination of malicious artifacts.
## Recommendations
- **Avoid `pull_request_target`:** Do not use this trigger for workflows that execute code from a PR (e.g., tests or builds). Use the standard `pull_request` trigger which runs in a restricted context.
- **Pin Actions:** Never use version tags (e.g., `v1`); always use immutable commit SHAs for GitHub Actions.
- **Cache Isolation:** Treat build caches as untrusted if they can be written to by external PRs.
- **Dependency Guardrails:** Implement tools like `pnpm`'s `minimumReleaseAge` to mitigate "protestware" or immediate supply chain injections.
- **Authentication:** Move away from SMS-based 2FA for all repository maintainers.