"getSession() trusts forged client cookies. ShipCheck catches this on every git commit — shipcheck install-hook"

getSession() trusts a client cookie that can be forged. Fix: use getUser() on server. ShipCheck catches this automatically.

"getSession() trusts forgeable client cookies, allowing attackers to impersonate users, steal data, and take over accounts. Run npx @shipcheck/cli"

先日紹介したMistral-AIパッケージの侵害は、TeamPCPによるサプライチェーン攻撃キャンペーン「Mini-Shai-Hulud」の一環だったと報告されています。今回のキャンペーンでは170超のパッケージ・400超のバージョンがわずか5時間で一斉に公開されたとの報告。 手口としては、リポジトリのフォークからCI自動実行設定の不備を突いてビルドキャッシュを汚染し、正規メンテナのマージを契機にCI環境から認証トークンを抽出して正規ビルドパイプラインを乗っ取る多段攻撃です。 パッケージの出自を証明するSLSA来歴証明はビルド環境上で自動発行される仕組みのため、正規の署名付きのまま悪性パッケージが公開されています。 【要点の整理】 ・「TanStack」ではCI自動実行設定（pull_request_target）の不備、GitHub-Actionsのキャッシュポイズニング、CI実行プロセスメモリからの一時認証トークン（OIDCトークン）直接抽出の3つの既知脆弱性クラスが連鎖的に悪用され、SLSA来歴証明付きで悪性バージョンが公開されたとの分析。 ・対象はReact・Vue・Solid向けルーティング等のライブラリ群「TanStack」42パッケージ（84バージョン）、AI企業Mistral-AIの公式パッケージ（コアSDK・Azure統合・GCP統合各3バージョン）、自動化基盤「UiPath」65パッケージ、「OpenSearch」JavaScriptクライアント、AI安全基盤「Guardrails-AI」のPyPIパッケージに及ぶ。 ・窃取した認証情報の送信先として、分散型でテイクダウンに強い暗号化メッセンジャー「Session」（*[.]getsession[.]org）が「Mini-Shai-Hulud」で初めて採用されたとのこと。さらにワームはGitHubのAPIで侵害済みメンテナのリポジトリにコピーを拡散し、コミットの作者名をAnthropicの「Claude-Code」に偽装する手口も確認された。 ・Python側のペイロードではパスワードマネージャ「1Password」「Bitwarden」を標的とする機能が新たに追加された。またイスラエル・イランの言語・地域設定の検出時に1/6の確率で発動するファイル削除や、ロシア語環境では実行を回避するなど、地域判別による条件分岐も含まれるとの分析。 詳細は以下を参照： wiz.io/blog/mini-shai-hulud-…

The Mini Shai-Hulud worm achieved something no previous npm supply chain attack has: it published malicious packages with valid SLSA Build Level 3 provenance attestations. That means the packaging system itself attested that these backdoored packages came from the official build process. How the attackers bypassed SLSA's trust model: Opened a normal-looking pull request (#7378) on TanStack. GitHub Actions ran CI tests on that PR. Malicious code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. Attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterward. The poisoned cache remained. The official release workflow later pulled from the cache, baked malicious files into the build, and published 84 compromised versions with valid SLSA provenance. Why the provenance was trusted: The repository's OIDC trusted publisher configuration granted trust at the repository level, not scoped to a specific protected branch and workflow file. The workflow run triggered by the attacker's orphaned commit was able to request a valid short-lived npm publish token. What the worm does with stolen credentials: Locates a publishable npm token with bypass_2fa set to true. Enumerates every package published by the same maintainer. Exchanges a GitHub OIDC token for a per-package publish token. Sidesteps traditional authentication entirely. The payload targets: GitHub tokens, npm tokens, GitHub Actions OIDC tokens. AWS credentials and instance metadata. Kubernetes service account files. HashiCorp Vault tokens and local Vault endpoints. Environment variables and local filesystem secrets. Persistence and evasion: Exfiltrates to filev2.getsession[.]org (Session Protocol infrastructure, unlikely to be blocked). Fallback exfiltration via GitHub GraphQL API under author name claude@users.noreply.github.com. Persistence hooks in Claude Code and VS Code. gh-token-monitor service to re-exfiltrate GitHub tokens. Two malicious GitHub Actions workflows to serialize and upload repository secrets. The scale: 373 malicious package-version entries across 169 npm package names. The list is still moving. The worm spreads across both npm and PyPI. SLSA provenance assures that a package came from a trusted build system. It does not assure that the trusted build system was not compromised. The Mini Shai-Hulud worm did not break cryptography. It abused trust at the repository configuration layer.

Mini Shai-Hulud Worm Expands: 373 Malicious npm Package Versions, Valid SLSA Provenance, and OIDC Token Hijacking The self-propagating Mini Shai-Hulud worm has escalated dramatically, now compromising 373 malicious package-version entries across 169 npm package names. The affected packages include uipath, squawk, tallyui, beproduct, and several unscoped packages, with the list continuing to grow. The malware is not just stealing credentials—it is using stolen tokens to publish new compromised versions, turning victim environments into distribution nodes. 🎯 How the Attack Works → Malware runs inside build systems, developer machines, and CI/CD runners. → Steals npm tokens, GitHub tokens, OIDC tokens, AWS credentials, Kubernetes service account tokens, HashiCorp Vault tokens, and environment variables. → Uses stolen tokens to find packages the victim can publish, injects malicious code, bumps versions, and publishes new compromised releases. → Spreads across both npm and PyPI ecosystems. 🔴 CVE-2026-45321, CVSS 9.6 The TanStack Compromise Chain: → Attacker opened pull request #7378 on the TanStack repository. → GitHub Actions CI ran tests on the PR. → Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. → Attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterwards. The poisoned cache remained. → The official release workflow later pulled from the cache, baked the malicious files into the build, and signed and published 84 malicious package versions to npm. Key Innovation: Valid SLSA Provenance via Trusted Publishing → Compromised packages carry valid SLSA Build Level 3 provenance attestations. → This is the first documented npm worm that produces validly attested malicious packages. → Attackers abused trusted publishing: attacker-controlled code running within a workflow leveraged its OIDC permissions to "mint" a short-lived npm publish token during the build. → The repository's OIDC trusted publisher configuration granted trust at the repository level rather than scoped to a specific protected branch and workflow file. The workflow run triggered by the orphaned commit was able to request a valid short-lived npm publish token. 🐛 What Makes This a Worm → The malware locates a publishable npm token with bypass_2fa set to true. → It enumerates every package published by the same maintainer. → It exchanges a GitHub OIDC token for a per-package publish token, sidestepping traditional authentication entirely. Evasion and Persistence → Malware exfiltrates data to filev2.getsession[.]org (Session Protocol infrastructure, unlikely to be blocked in enterprises). → Fallback exfiltration via GitHub GraphQL API using stolen tokens, committing data under author name claude@users.noreply.github.com. → Establishes persistence hooks in Claude Code and Microsoft Visual Studio Code (VS Code) to survive reboots and re-execute the stealer on every launch of the IDEs. → Installs a gh-token-monitor service to monitor and re-exfiltrate GitHub tokens. → Injects two malicious GitHub Actions workflows to serialize repository secrets into a JSON object and upload the data to api.masscan[.]cloud. ⚠️ What Is Being Stolen → GitHub tokens, npm tokens, GitHub Actions OIDC tokens. → AWS credentials and instance metadata. → Kubernetes service account files. → HashiCorp Vault tokens and local Vault endpoints. → Environment variables and local filesystem secrets. Affected Ecosystems → npm and PyPI packages. → Search infrastructure, AI tooling, aviation-related developer packages, enterprise automation, frontend tooling, CI/CD-adjacent ecosystems. Detection Indicators → Unexpected Bun execution during npm install. → Optional dependency failures involving @tanstack/setup. → Outbound connections during dependency installation. → npm publish activity from workflows that should not have published. → GitHub Actions OIDC token requests during unexpected steps. 🛡️ Immediate Actions → Rotate npm tokens, GitHub PATs, GitHub Actions secrets, cloud credentials, Kubernetes service account tokens, Vault tokens, and deployment secrets. → Audit recent npm publishes, GitHub Actions runs, and provenance records. → Do not treat valid SLSA provenance as proof that a package is clean. The worm is still spreading. The list is still moving. Trusted publishing is now a vector. Valid provenance is no longer assurance.

TeamPCP threat group's Shai-Hulud campaign compromised 416 npm/PyPI packages including TanStack and Mistral AI, using stolen OIDC tokens to publish malware with valid SLSA Build Level 3 attestations. Attack exploited legitimate CI/CD pipelines to appear cryptographically authentic. Technical breakdown: • Chained 3 vulns: risky pull_request-target workflow, GitHub Actions cache poisoning, OIDC token theft from runner memory • Clever Git trick: orphaned commit in TanStack/router fork accessed via malicious optional dependency, auto-executing during npm install • Targets 100 credential types: GitHub PATs, AWS IAM, Kubernetes tokens, HashiCorp Vault, SSH keys, VS Code configs, .env files • Exfiltration via Session P2P network mimicking encrypted messenger traffic to evade detection • Persistence through Claude Code hooks and VS Code auto-run tasks survives package removal Self-propagation: steals GitHub/npm creds → enumerates linked packages → injects payload into tarballs → republishes malicious versions with valid signatures. Incident responders should audit IDE directories for router_runtime.js/setup.mjs artifacts, rotate all dev credentials, and block C2 infrastructure: api[.]masscan[.]cloud, git-tanstack[.]com, *[.]getsession[.]org. #DFIR_Radar

IOCs: api.masscan[.]cloud filev2.getsession[.]org git-tanstack[.]com seed1.getsession[.]org

🚨 Active supply chain attack on @tan_stack. 84 npm packages in the @​tanstack namespace have been compromised with a credential-stealing worm. @​tanstack/react-router alone has 12M weekly downloads. The affected packages span react-router, solid-router, vue-router, start, and dozens more across the TanStack ecosystem. Additional compromised packages were also found in the @​uipath namespace and several other organizations. Socket flagged every malicious version within six minutes of publication. Here's what the malware does: • Injects a 2.3 MB obfuscated file (router_init.js) that daemonizes itself on install, detaching from the terminal so nothing looks wrong • Harvests credentials from GitHub Actions (including OIDC tokens), AWS (IMDSv2, Secrets Manager, SSM across multiple regions), HashiCorp Vault, and Kubernetes service accounts • Uses stolen OIDC tokens to autonomously republish itself to npm under the compromised maintainer's identity, turning every infected CI pipeline into a new propagation vector • Writes persistence hooks into .claude/ and .vscode/ directories so it survives across reboots and re-executes when developers use Claude Code or open VS Code • Exfiltrates everything through the Session decentralized P2P network, making C2 traffic nearly indistinguishable from encrypted messaging • Commits copies of itself to maintainer repositories via GitHub's GraphQL API, spoofing the author as claude@users.noreply.github.com to blend in with legitimate Claude Code activity • Generates valid Sigstore provenance attestations for the malicious packages, meaning provenance badges alone cannot be trusted as a security signal The attack vector: an orphaned commit (no parent history) in the TanStack/router repo was used to hijack the CI workflow's OIDC token, bypassing existing publishing protections including 2FA. The commit was authored by the account "voicproducoes," whose repos include projects named "A Mini Shai-Hulud has Appeared," linking this to an ongoing campaign Socket has been tracking. TanStack maintainer Tanner Linsley confirmed the attack and the team is unpublishing compromised versions and shutting down publishing pipelines while they remediate. What to do right now: • Check your dependency tree for router_init.js. SHA256: ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c • Rotate npm tokens, GitHub PATs, AWS credentials, Vault tokens, and K8s service account tokens on any system that installed an affected version • Audit .claude/ and .vscode/ directories for router_runtime.js, setup.mjs, or unfamiliar hooks • Check git log for commits authored by claude@users.noreply.github.com that weren't initiated through the legitimate Claude Code app • Block egress to filev2.getsession[.]org at the DNS level • Do not trust Sigstore provenance badges alone Full list of affected packages and IOCs: socket.dev/blog/tanstack-npm… Developing story...

Compromises today have grown from TanStack to UiPath and more now. IOC: filev2.getsession[.]org

Anthropic 推出托管式 Agent 云服务「Claude Managed Agents」，通过解耦"大脑（推理）"与"双手（执行）"的架构设计，让企业无需自建沙箱、状态管理和权限系统，直接部署可长时自主运行的生产级 AI Agent claude.com/blog/claude-manag… 传统 AI Agent 开发面临典型的"基础设施麻烦"： · 沙箱安全、状态持久化、权限管控、模型升级适配——这些非差异化工作消耗大量工程资源 · 团队往往花费数月搭建基础设施，才能开始交付用户价值 Managed Agents 的核心价值主张："你定义任务、工具和护栏，Anthropic 负责运行"——将部署速度提升 10 倍。 核心能力架构 1. 生产级 Agent 运行时：安全沙箱、身份认证、工具执行全托管 2. 长时会话：支持数小时自主运行，断线后状态与输出持久化 3. 多 Agent 协调：Agent 可创建并调度其他 Agent 并行处理复杂任务 4. 可信治理：细粒度权限、身份管理、执行链路追踪 技术架构的深层设计哲学 Engineering Blog 的文章揭示了它架构设计的核心思路——"解耦大脑与双手"。 anthropic.com/engineering/ma… 1. 虚拟化抽象：面向未来的接口设计 借鉴操作系统虚拟化硬件的思路，Managed Agents 将 Agent 组件抽象为三个核心接口： · Session：只追加的事件日志，存储完整交互历史 · Harness：调用 Claude 并路由工具请求的循环逻辑 · Sandbox：代码执行与文件操作环境 这种设计使得底层实现可自由演进，而接口保持稳定。例如，早期 Claude Sonnet 4.5 存在"上下文焦虑"（接近上下文限制时提前结束任务），需要控制器主动重置上下文；而 Opus 4.5 已无此问题，重置逻辑成为"死代码"——接口设计让这类调整无需破坏上层应用。 2. 从"宠物"到"牲畜"：故障隔离与弹性 早期将所有组件放在单一容器，导致： · 容器故障 = 会话丢失（需人工恢复） · 调试困难（需进入含用户数据的容器） · 网络连接假设僵化（难以对接客户私有云） 解耦后的架构： · Harness 脱离容器：通过 execute(name, input) → string 调用沙箱，沙箱成为可替换的"牲畜" · 会话外置：Harness 崩溃后可通过 wake(sessionId) getSession(id) 从事件日志恢复，无状态重启 · 安全边界：凭证存储于 Vault，沙箱通过 proxy 访问，Agent 永远无法直接接触 token 3. 上下文管理的分离 长时任务常超 Claude 上下文窗口。传统方法（压缩、剪枝）都是不可逆决策，可能丢弃未来需要的信息。 Managed Agents 的解决方案： · Session 作为外部上下文对象：通过 getEvents() 接口，控制器可按需读取事件流的任意片段 · Harness 负责上下文工程：支持缓存优化、选择性加载等策略，与持久化存储解耦 · 模型迭代友好：未来上下文管理策略可独立演进，不影响会话数据完整性 4. 性能优化："多脑多手"架构 解耦带来的量化收益： · 首 Token 延迟（TTFT）：P50 降低约 60%，P95 降低超 90%（无需等待容器启动即可开始推理） · 弹性扩展：状态化的 Harness 可水平扩展，按需连接沙箱 · 多环境推理：Claude 可同时操作多个执行环境（容器、手机、模拟器等），通过工具接口统一调度 能学习到的 2B Agent 方案 Claude Managed Agents 代表了 AI 基础设施的成熟度跃迁——从"每个团队自建轮子"转向"托管服务即插即用"。其架构设计的精妙之处在于： · 接口稳定性：通过 Session/Harness/Sandbox 的虚拟化抽象，隔离模型迭代与基础设施演进 · 安全纵深：凭证与执行环境物理隔离，应对提示注入等攻击面 · 弹性经济：按需启动沙箱，显著降低长尾会话成本 对于需要构建生产级 Agent 的企业，这提供了一个"免运维、可审计、可扩展"的底层运行时，让工程团队能专注于业务逻辑而非基础设施韧性。

"use getSession(id) to get back the event log, and resume from the last event." - anthropic.com/engineering/ma… this is the way. stream per agent session.

#デイトラ #個人開発 学習410日目(1013h) 📒席替えアプリNext化 コードを書く前に構成するページや、型の定義についてgoodnoteにまとめ、疑問点も調べた🤔 ✅getUserはサーバーに情報をとりに行くが、getSessionはクライアントで完結するので、確実なのはgetUser ✅グローバルステートは一旦jotaiで

【個人開発】Googleログインが動かないバグ、原因が深すぎた ふくログ v1.0.1で修正したバグの話。 症状: Googleアカウント選択後、画面が固まる 原因: Supabase JS v2の内部ロック機構とデッドロック💀 onAuthStateChangeコールバック内でDB問い合わせ → Supabaseが内部でgetSession()を呼ぶ → 同じロックを取りに行く → 永久に返ってこない 解決: コールバックを同期にしてsetTimeoutで逃がす 3時間溶けたけどいい勉強になった。 #個人開発 #ReactNative #Supabase

Well you won't be able to view it in public games if that's something you wanna keep. But as an example if(GetSession().Environment() <> session_environment.Live): AddTPSCounter()

#デイトラ #WEB制作 学習363日目(899h) 📒席替えアプリ作成 バックエンドの理解が曖昧でまた牛歩や🐂 ✅getSession()は現在ログインしているか、対してgetUser()はユーザー情報取得 ✅メールアドレス認証スキップすると、どんなアドレスでも使えてしまう ❓認証を挟むと、UXが下がるので対策が必要

How I fixed it: - Proper PKCE with await (no more race) - Killed duplicate getSession() call - DB trigger auto-creates profile (no RLS fights) 2 AM: rebuild done. Didn't even test. Crashed. This morning: logged in, refreshed 10x, switched pages. Session holds. Finally.

#デイトラ #WEB制作 学習329日目(823.5h) 📒席替えアプリ作成 isLoadingを親コンポーネントで定義して、配下のコンポーネントに配る設計 席替えのロジックが全く分からず、ほんまにやべえ😓 ✅getUserを使用したら、特別理由がない限り、getSessionは使わなくて良さそう ✅pathがあればindexは不要