Supply Chain Compromise via GitHub Actions OIDC Token Extraction and Cache Poisoning

Vulnerability Description

This attack chains three distinct vulnerability classes affecting GitHub Actions security posture. Class 1: pull_request_target misconfiguration allows untrusted PR code to execute in the context of the base repository with access to secrets and OIDC tokens. Class 2: Cache poisoning across fork boundaries enables attackers to poison the Actions cache used by trusted workflows, injecting malicious artifacts that execute in subsequent legitimate CI runs. Class 3: Runtime OIDC token extraction involves memory-resident exfiltration of the Actions runner's OIDC token before it is consumed, bypassing token audience restrictions. The root cause is insufficient isolation between untrusted (PR) and trusted (base repo) execution contexts, combined with weak cache namespace validation and lack of memory protection on sensitive token data.

Proof-of-Concept Significance

This PoC demonstrates end-to-end compromise of the trusted-publisher model for npm package distribution. The attack is highly reliable because it leverages legitimate GitHub Actions infrastructure—no zero-days required, only policy misconfigurations. Preconditions: (1) repository accepts external PRs, (2) workflow uses pull_request_target without strict input validation, (3) workflow publishes to npm using OIDC tokens. The attacker successfully authenticated 84 publish operations as the legitimate TanStack/router identity within a 6-minute window, proving token extraction feasibility. This undermines the security guarantees of the OIDC trusted-publisher flow and has immediate applicability to thousands of repositories with similar configurations.

Detection Guidance

Log Indicators (GitHub Actions audit logs):

• Multiple consecutive npm publish operations from a single GitHub Actions workflow in an anomalously short time window (6 minutes for 84 publishes)
• Pull request to the repository immediately preceding high-volume publish activity
• OIDC token issuance followed by out-of-band publish activity to npm
• Cache writes from PR context followed by cache reads in base repository context

npm Registry Signals:

• Rapid version publication of multiple packages by a single publisher within minutes
• Version metadata that differs significantly from prior versions (large payload changes, new transitive dependencies)
• Package downloads from unusual geographies or patterns post-publication

Endpoint Detection:

• Installation of npm packages triggering node_modules/.bin/* execution outside of interactive user context
• Subprocess spawning from npm install hooks attempting to read ~/.aws/, ~/.ssh/, ~/.npmrc, environment variables
• Network egress to Session/Oxen messenger infrastructure (filev2.getsession.org, seed{1,2,3}.getsession.org) on port 443
• Base64-encoded or obfuscated JavaScript in node_modules/*/router_init.js (2.3 MB+ payloads are anomalous)

YARA Rule Concept:

rule npm_credential_harvester_session_exfil {
  strings:
    $session_domain = "filev2.getsession.org" nocase
    $seed_domain = "seed" nocase
    $aws_metadata = "http://169.254.169.254" nocase
    $ssh_path = "~/.ssh/" nocase
    $github_token_env = "GITHUB_TOKEN" nocase
  condition:
    filesize > 2000000 and 3 of them
}

Mitigation Steps

Immediate Actions:

1. Audit GitHub Actions workflows in your repositories: Disable pull_request_target unless absolutely necessary; use pull_request with limited secret scope instead.
2. Invalidate and rotate all npm publish tokens, GitHub PATs, and OIDC credentials immediately.
3. Inspect package-lock.json and yarn.lock for any installs of affected @tanstack/* versions published between 2026-05-11 19:20–19:26 UTC; delete node_modules/ and reinstall from safe versions.
4. Audit GitHub Actions cache usage: Disable cache sharing across fork/PR boundaries; use separate cache namespaces for untrusted contexts.

Medium-term Hardening:

1. Implement OIDC token audience restrictions in publish workflows; use short-lived tokens (5–15 minutes).
2. Add integrity checks to published packages (verify dist-tags, cryptographic signatures via npm provenance).
3. Enforce code review requirements before CI trigger; separate PR workflows from publish workflows entirely.
4. Use GitHub Actions environment secrets and limit OIDC token issuance to specified environments, not all PRs.
5. Implement Software Composition Analysis (SCA) to detect behavioral anomalies in transitive dependency installation (credential harvest attempts).

Detection Deployment:

1. Deploy endpoint detection agents to intercept npm postinstall hook execution; block access to sensitive credential paths.
2. Monitor egress to Session/Oxen infrastructure and block at network boundary.
3. Implement npm package provenance verification; reject packages with mismatched publisher identity or signature validation failure.

Risk Assessment

Likelihood of Exploitation in the Wild: Very High. This attack requires only GitHub Actions policy misconfigurations, not zero-days. Thousands of repositories use pull_request_target unsafely. The 84-package simultaneous compromise suggests this is not opportunistic; the attacker has sophisticated knowledge of the attack surface.

Threat Actor Interest: Sustained. The targeting of @tanstack/* packages (popular React ecosystem libraries) and simultaneous multi-package compromise indicates either a state-aligned actor or organized cybercriminal group. The exfiltration to Session/Oxen (privacy-focused, decentralized) suggests intent to evade law enforcement attribution and maintain operational security.

Business Impact: Critical. Every organization using affected @tanstack/* versions has had cloud credentials, GitHub tokens, and SSH keys potentially exfiltrated. Secondary victims include downstream consumers of packages depending on compromised versions. Supply chain trust has been demonstrably broken; dependency on automated trust signals (OIDC, npm provenance) is now high-risk without additional verification layers.