# [CRIT] [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval **Source:** GitHub Security Advisories **Published:** 2026-05-14 **Article:** https://github.com/advisories/GHSA-wx44-2q6h-j6p8 ## Threat Profile DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval ### Summary The `run_tests` tool executes `cargo test` in the workspace with `ApprovalRequirement::Auto`, meaning it runs without any user approval prompt. The source code explicitly states this design choice: ```rust fn approval_requirement(&self) -> ApprovalRequirement { // Tests are encouraged, so avoid gating them behind approval. ApprovalRequirement::Auto } ``` `cargo test` compiles and executes ar… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-45311` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059.001** — PowerShell - **T1059.005** — Visual Basic - **T1218** — System Binary Proxy Execution - **T1204.002** — User Execution: Malicious File - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1195.001** — Supply Chain Compromise: Compromise Software Dependencies and Development Tools - **T1105** — Ingress Tool Transfer - **T1041** — Exfiltration Over C2 Channel ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### DeepSeek-TUI spawning 'cargo test' — CVE-2026-45311 auto-approved run_tests pathway `UC_293_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("deepseek-tui","deepseek-tui.exe","deepseek","deepseek.exe") AND Processes.process_name IN ("cargo","cargo.exe") AND Processes.process="*test*" by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("deepseek-tui","deepseek-tui.exe","deepseek","deepseek.exe") | where FileName in~ ("cargo","cargo.exe") | where ProcessCommandLine has "test" | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, Parent = InitiatingProcessFileName, ParentCmd = InitiatingProcessCommandLine, ParentPath = InitiatingProcessFolderPath, Child = FileName, ChildCmd = ProcessCommandLine, ChildSHA256 = SHA256 | order by Timestamp desc ``` ### Rust cargo-test binary in target/debug/deps spawning shell or network tool (CVE-2026-45311 exploitation) `UC_293_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_path="*/target/debug/deps/*" OR Processes.parent_process_path="*\\target\\debug\\deps\\*" OR Processes.parent_process_path="*/target/release/deps/*" OR Processes.parent_process_path="*\\target\\release\\deps\\*") AND Processes.process_name IN ("sh","bash","zsh","dash","ksh","curl","wget","nc","ncat","socat","cmd.exe","powershell.exe","pwsh.exe","curl.exe","wget.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process_path Processes.parent_process Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql let _suspicious_children = dynamic(["sh","bash","zsh","dash","ksh","curl","wget","nc","ncat","socat","cmd.exe","powershell.exe","pwsh.exe","pwsh","curl.exe","wget.exe"]); DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFolderPath has_any (@"/target/debug/deps/", @"\target\debug\deps\", @"/target/release/deps/", @"\target\release\deps\") | where FileName in~ (_suspicious_children) | where AccountName !endswith "$" | extend RcePattern = iff(ProcessCommandLine has_any ("curl ","wget ","http://","https://","/dev/tcp/","bash -i","-NoProfile","IEX","Invoke-WebRequest"), "likely_egress", "shell_or_tool") | project Timestamp, DeviceName, AccountName, TestBinaryPath = InitiatingProcessFolderPath, TestBinary = InitiatingProcessFileName, TestBinaryCmd = InitiatingProcessCommandLine, Grandparent = InitiatingProcessParentFileName, Child = FileName, ChildCmd = ProcessCommandLine, RcePattern, ChildSHA256 = SHA256 | order by Timestamp desc ``` ### Office app spawning script/LOLBin child process `UC_OFFICE_CHILD` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") AND Processes.process_name IN ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where InitiatingProcessFileName in~ ("winword.exe","excel.exe","powerpnt.exe","outlook.exe","onenote.exe","mspub.exe","visio.exe") | where FileName in~ ("cmd.exe","powershell.exe","pwsh.exe","wscript.exe","cscript.exe","mshta.exe","rundll32.exe","regsvr32.exe","wmic.exe","bitsadmin.exe","certutil.exe") | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via M `UC_293_2` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via M ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/tmp/malicious-repo*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-45311: DeepSeek TUI: run_tests Tool Enables RCE via M // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/tmp/malicious-repo")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-45311` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 9 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.