🟢 CVE-2026-45321

CVE-2026-45321 is a critical supply chain vulnerability (CVSS 9.6) associated with a campaign identified as "Mini Shai-Hulud," which involved the unauthorized publication of malicious packages to the npm and PyPI registries in May 2026 ^[1].

Here is the breakdown of the requested information:

Nature of the Vulnerability and Exploitation

• Attack Vectors and Methods: The vulnerability stems from a supply chain compromise rather than a traditional software flaw in an internet-facing application. Attackers exploited a `pull_request_target` misconfiguration within GitHub Actions to poison build caches and extract OIDC (OpenID Connect) tokens from memory ^[2]. These stolen tokens were then used to authenticate as legitimate maintainers, allowing the attackers to publish malicious versions of packages to public registries ^[3].
• Active Exploitation: Yes, there is clear evidence of active exploitation in the wild. Between May 11 and May 12, 2026, threat actors published over 400 malicious versions of 170 different packages across npm and PyPI, including the `mistralai` package (v2.4.6) ^[1].
• Targeted Attacks: The campaign appears to be a broad, automated supply chain attack targeting the software ecosystem (specifically the `@tanstack` and `mistralai` ecosystems) rather than a single targeted organization ^{[1] [2]}. The malicious packages contained credential-stealing malware intended to compromise the systems of developers or CI/CD pipelines that downloaded them ^[2].

Internet-Facing Applications and Technical Details

• Internet-Facing Applications: This vulnerability does not refer to a flaw in a specific internet-facing application that can be exploited by remote users via HTTP requests. Instead, it is an infrastructure-level supply chain vulnerability. It affects the security of the software development lifecycle (SDLC) and the integrity of packages hosted on public registries.
• Technical Internet Exploitability: Because this is a supply chain attack, it is not "exploitable" in the sense of sending a crafted packet to a server to gain control. The "exploit" occurred at the CI/CD level (GitHub Actions), which then resulted in the distribution of malicious code to anyone who installed the compromised packages.

CISA Known Exploited Vulnerabilities (KEV) Status

As of May 27, 2026, there is no information indicating that CVE-2026-45321 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog typically focuses on vulnerabilities that are being actively exploited in the wild against enterprise software and hardware, whereas this CVE represents a compromise of the software supply chain itself.