Security Advisory Review: Shai-Hulud / CVE-2026-45321 — MeshMonitor is Not Affected #3044
Yeraze
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Security Advisory Review: Shai-Hulud / CVE-2026-45321 — MeshMonitor is Not Affected
Date: 2026-05-16
Reviewer: Maintainer
Disposition: ✅ Not affected — no remediation required
Background
In May 2026, a new wave of the "Mini Shai-Hulud" npm supply-chain worm compromised ~42 packages in the
@tanstacknamespace, along with secondary victims in@mistralai,@uipath,@draftlab,@squawk,@guardrails,@opensearch-project, and others. The TanStack incident was assigned CVE-2026-45321 (CVSS 9.6). Affected versions ship a malicious payload that:.claude/,.vscode/, and user systemd/launchd directories.codeql_analysis.ymlworkflow to exfiltrate via CI.Confirmed compromised packages include the TanStack router family (
@tanstack/react-router,vue-router,solid-router,router-core,react-start,router-plugin) at versions1.169.5,1.169.8,1.167.68,1.167.71,1.167.38,1.167.41.Why we checked
MeshMonitor depends on packages in the
@tanstack/*namespace, so a manual review was warranted to confirm we were not pulling a compromised package or version, directly or transitively.What we verified
1. Installed
@tanstack/*packages are not on the compromised listWe ship from the query and virtual lines only — not the router line that was hit:
None of these packages or versions appear in the GHSA-g7cv-rxg3-hmpx advisory. No manifest (
package.json,package-lock.json,desktop/package.json,tests/mock-oidc/package.json,protobufs/packages/ts/package.json) references any compromised router package or the malicious"@tanstack/setup": "github:tanstack/router#…"dependency.2. No payload files in the tree
Searched the full repo (including
node_modules/@tanstack/*) for the known payload filenames:router_init.js— not presentrouter_runtime.js— not presenttanstack_runner.js— not presentsetup.mjs— not presentbundle.js(root-level) — not presentshai-hulud*— not present3. No persistence artifacts
.claude/contains only the expectedagent-memory/,agents/,commands/,skills/,settings.json, and a benign Claude Code session lockfile. Norouter_runtime.jsorsetup.mjs..vscode/directory does not exist.~/.config/systemd/user/gh-token-monitor.serviceon dev host..github/workflows/codeql_analysis.yml— our existingcodeql.ymlis the legitimate one.4. No network or string IOCs
Grep of the full repo returned zero hits for:
filev2.getsession.orgapi.masscan.cloudgit-tanstack.comlitter.catbox.moe83.142.209.194svksjrhjkcejgIfYouRevokeThisTokenItWillWipeTheComputerOfTheOwnerShai-Hulud: Here We Go Again./Mini Shai-Hulud has Appeared.gh-token-monitorDisposition
MeshMonitor is not affected by CVE-2026-45321. No code changes, dependency bumps, token rotation, or user action is required.
Forward-looking guidance
@tanstack/react-routeror any other router-family@tanstack/*package, verify the resolved version is outside the compromised set in GHSA-g7cv-rxg3-hmpx before merging.npm installin a dev environment that also installs other unrelated packages, we recommend scanning your own host for the IOCs listed above.References
Beta Was this translation helpful? Give feedback.
All reactions