Skip to content

Instantly share code, notes, and snippets.

@kaxing
Last active May 14, 2026 01:43
Show Gist options
  • Select an option

  • Save kaxing/7442e09c4940a952691993128f0dd90f to your computer and use it in GitHub Desktop.

Select an option

Save kaxing/7442e09c4940a952691993128f0dd90f to your computer and use it in GitHub Desktop.
CVE-2026-45321 self-schek (mac only)
#!/usr/bin/env bash
HAS_FD=0
HAS_RG=0
command -v fd >/dev/null 2>&1 && HAS_FD=1
command -v rg >/dev/null 2>&1 && HAS_RG=1
show() {
printf '\n[%s] %s\n' "$1" "$2"
}
show_or_ok() {
if [ -n "$1" ]; then
printf '%s\n' "$1"
else
echo 'OK: none found'
fi
}
printf '== Mini Shai-Hulud / TanStack local check ==\n'
show 1 'macOS LaunchAgent persistence'
output=$(ls -la ~/Library/LaunchAgents/com.user.gh-token-monitor.plist 2>/dev/null)
show_or_ok "${output:-OK: no gh-token-monitor LaunchAgent found}"
show 2 'Search for known malware files in home directory'
printf 'Reminder: setup.mjs is a generic filename; review manually. Stronger signals are router_init.js, router_runtime.js, and tanstack_runner.js.\n'
if [ "$HAS_FD" -eq 1 ]; then
output=$(fd -HI -t f '^(router_init|router_runtime|tanstack_runner)\.js$|^setup\.mjs$' ~ 2>/dev/null)
else
output=$(find ~ \
\( -name 'router_init.js' -o -name 'router_runtime.js' -o -name 'tanstack_runner.js' -o -name 'setup.mjs' \) \
-print 2>/dev/null)
fi
show_or_ok "$output"
show 3 'Hash router_init.js if present'
if [ "$HAS_FD" -eq 1 ]; then
output=$(fd -HI -t f '^router_init\.js$' ~ -x shasum -a 256 2>/dev/null)
else
output=$(find ~ -name 'router_init.js' -exec shasum -a 256 {} \; 2>/dev/null)
fi
show_or_ok "$output"
show 4 'Search node_modules for malicious TanStack optionalDependency marker'
if [ "$HAS_RG" -eq 1 ]; then
output=$(rg -l -uu \
-g '*/node_modules/@tanstack/*/package.json' \
'79ac49eedf774dd4b0cfa308722bc463cfe5885c|github:tanstack/router#79ac49ee|@tanstack/setup' \
~ 2>/dev/null)
else
output=$(find ~ -path '*/node_modules/@tanstack/*/package.json' -print0 2>/dev/null \
| xargs -0 grep -l '79ac49eedf774dd4b0cfa308722bc463cfe5885c\|github:tanstack/router#79ac49ee\|@tanstack/setup' 2>/dev/null)
fi
show_or_ok "$output"
show 5 'Search lockfiles for affected marker'
if [ "$HAS_RG" -eq 1 ]; then
output=$(rg -l -uu \
-g '**/package-lock.json' \
-g '**/pnpm-lock.yaml' \
-g '**/yarn.lock' \
-g '**/bun.lockb' \
'79ac49eedf774dd4b0cfa308722bc463cfe5885c|github:tanstack/router#79ac49ee|git-tanstack.com' \
~ 2>/dev/null)
else
output=$(find ~ \( -name 'package-lock.json' -o -name 'pnpm-lock.yaml' -o -name 'yarn.lock' -o -name 'bun.lockb' \) -print0 2>/dev/null \
| xargs -0 grep -l '79ac49eedf774dd4b0cfa308722bc463cfe5885c\|github:tanstack/router#79ac49ee\|git-tanstack.com' 2>/dev/null)
fi
show_or_ok "$output"
show 6 'Check Claude / VS Code persistence hooks'
if [ "$HAS_RG" -eq 1 ]; then
output=$(rg -n -uu 'router_runtime|tanstack_runner|git-tanstack|(^|/|")setup\.mjs(")?' ~/.claude ~/.vscode .claude .vscode 2>/dev/null)
else
output=$(grep -Rni 'router_runtime\|setup.mjs\|tanstack_runner\|git-tanstack' ~/.claude ~/.vscode .claude .vscode 2>/dev/null)
fi
show_or_ok "$output"
show 7 'Search suspicious GitHub Actions workflow marker in your projects'
if [ "$HAS_FD" -eq 1 ]; then
output=$(fd -HI -t f '^codeql_analysis\.yml$' ~ 2>/dev/null)
else
output=$(find ~ -path '*/.github/workflows/codeql_analysis.yml' -print 2>/dev/null)
fi
show_or_ok "$output"
printf '\nDone.\n'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment