Last active
May 14, 2026 01:43
-
-
Save kaxing/7442e09c4940a952691993128f0dd90f to your computer and use it in GitHub Desktop.
CVE-2026-45321 self-schek (mac only)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| HAS_FD=0 | |
| HAS_RG=0 | |
| command -v fd >/dev/null 2>&1 && HAS_FD=1 | |
| command -v rg >/dev/null 2>&1 && HAS_RG=1 | |
| show() { | |
| printf '\n[%s] %s\n' "$1" "$2" | |
| } | |
| show_or_ok() { | |
| if [ -n "$1" ]; then | |
| printf '%s\n' "$1" | |
| else | |
| echo 'OK: none found' | |
| fi | |
| } | |
| printf '== Mini Shai-Hulud / TanStack local check ==\n' | |
| show 1 'macOS LaunchAgent persistence' | |
| output=$(ls -la ~/Library/LaunchAgents/com.user.gh-token-monitor.plist 2>/dev/null) | |
| show_or_ok "${output:-OK: no gh-token-monitor LaunchAgent found}" | |
| show 2 'Search for known malware files in home directory' | |
| printf 'Reminder: setup.mjs is a generic filename; review manually. Stronger signals are router_init.js, router_runtime.js, and tanstack_runner.js.\n' | |
| if [ "$HAS_FD" -eq 1 ]; then | |
| output=$(fd -HI -t f '^(router_init|router_runtime|tanstack_runner)\.js$|^setup\.mjs$' ~ 2>/dev/null) | |
| else | |
| output=$(find ~ \ | |
| \( -name 'router_init.js' -o -name 'router_runtime.js' -o -name 'tanstack_runner.js' -o -name 'setup.mjs' \) \ | |
| -print 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| show 3 'Hash router_init.js if present' | |
| if [ "$HAS_FD" -eq 1 ]; then | |
| output=$(fd -HI -t f '^router_init\.js$' ~ -x shasum -a 256 2>/dev/null) | |
| else | |
| output=$(find ~ -name 'router_init.js' -exec shasum -a 256 {} \; 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| show 4 'Search node_modules for malicious TanStack optionalDependency marker' | |
| if [ "$HAS_RG" -eq 1 ]; then | |
| output=$(rg -l -uu \ | |
| -g '*/node_modules/@tanstack/*/package.json' \ | |
| '79ac49eedf774dd4b0cfa308722bc463cfe5885c|github:tanstack/router#79ac49ee|@tanstack/setup' \ | |
| ~ 2>/dev/null) | |
| else | |
| output=$(find ~ -path '*/node_modules/@tanstack/*/package.json' -print0 2>/dev/null \ | |
| | xargs -0 grep -l '79ac49eedf774dd4b0cfa308722bc463cfe5885c\|github:tanstack/router#79ac49ee\|@tanstack/setup' 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| show 5 'Search lockfiles for affected marker' | |
| if [ "$HAS_RG" -eq 1 ]; then | |
| output=$(rg -l -uu \ | |
| -g '**/package-lock.json' \ | |
| -g '**/pnpm-lock.yaml' \ | |
| -g '**/yarn.lock' \ | |
| -g '**/bun.lockb' \ | |
| '79ac49eedf774dd4b0cfa308722bc463cfe5885c|github:tanstack/router#79ac49ee|git-tanstack.com' \ | |
| ~ 2>/dev/null) | |
| else | |
| output=$(find ~ \( -name 'package-lock.json' -o -name 'pnpm-lock.yaml' -o -name 'yarn.lock' -o -name 'bun.lockb' \) -print0 2>/dev/null \ | |
| | xargs -0 grep -l '79ac49eedf774dd4b0cfa308722bc463cfe5885c\|github:tanstack/router#79ac49ee\|git-tanstack.com' 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| show 6 'Check Claude / VS Code persistence hooks' | |
| if [ "$HAS_RG" -eq 1 ]; then | |
| output=$(rg -n -uu 'router_runtime|tanstack_runner|git-tanstack|(^|/|")setup\.mjs(")?' ~/.claude ~/.vscode .claude .vscode 2>/dev/null) | |
| else | |
| output=$(grep -Rni 'router_runtime\|setup.mjs\|tanstack_runner\|git-tanstack' ~/.claude ~/.vscode .claude .vscode 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| show 7 'Search suspicious GitHub Actions workflow marker in your projects' | |
| if [ "$HAS_FD" -eq 1 ]; then | |
| output=$(fd -HI -t f '^codeql_analysis\.yml$' ~ 2>/dev/null) | |
| else | |
| output=$(find ~ -path '*/.github/workflows/codeql_analysis.yml' -print 2>/dev/null) | |
| fi | |
| show_or_ok "$output" | |
| printf '\nDone.\n' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment