# [CRIT] [GHSA / CRITICAL] CVE-2026-45758: Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

**Source:** GitHub Security Advisories
**Published:** 2026-05-19
**Article:** https://github.com/advisories/GHSA-xmpw-2vmm-p4p6

## Threat Profile

Malicious code in guardrails-ai 0.10.1 (supply chain compromise)

### Impact

On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of `guardrails-ai` (0.10.1) to PyPI.

**Affected:** any user who installed `guardrails-ai==0.10.1` from PyPI on May 11, 2026.

Security researchers identified the malicious package within approximately 2 hours of publication, and PyPI quarantined the repository. Based on our telemetry, we have observed no requests to Guardrails …

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-45758`
- **IPv4 (defanged):** `83.142.209.194`
- **Domain (defanged):** `git-tanstack.com`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application
- **T1195.002** — Compromise Software Supply Chain
- **T1071** — Application Layer Protocol
- **T1059.006** — Command and Scripting Interpreter: Python
- **T1105** — Ingress Tool Transfer
- **T1071.004** — Application Layer Protocol: DNS
- **T1071.001** — Application Layer Protocol: Web Protocols

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### Installation of malicious guardrails-ai==0.10.1 PyPI package (CVE-2026-45758)

`UC_255_3` · phase: **delivery** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("pip.exe","pip","pip3","pip3.exe","uv","uv.exe","poetry","poetry.exe","python.exe","python","python3","python3.exe") OR Processes.process IN ("*pip*install*","*uv*pip*install*","*poetry*add*")) AND Processes.process IN ("*guardrails-ai==0.10.1*","*guardrails-ai 0.10.1*","*guardrails_ai-0.10.1*","*guardrails-ai-0.10.1*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName in~ ("pip.exe","pip3.exe","python.exe","python3.exe","pythonw.exe","uv.exe","poetry.exe")
   or InitiatingProcessFileName in~ ("pip.exe","pip3.exe","uv.exe","poetry.exe")
| where ProcessCommandLine has "guardrails-ai" or ProcessCommandLine has "guardrails_ai"
| where ProcessCommandLine has "0.10.1"
| where AccountName !endswith "$"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, FolderPath, SHA256
| order by Timestamp desc
```

### Python process executing transformers.pyz dropped from git-tanstack.com (TeamPCP)

`UC_255_4` · phase: **install** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("python.exe","python","python3","python3.exe","pythonw.exe") AND Processes.process="*transformers.pyz*" by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | append [ | tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name="transformers.pyz" by Filesystem.dest Filesystem.user Filesystem.file_path Filesystem.process_name | `drop_dm_object_name(Filesystem)` ] | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
let LookbackDays = 30d;
union isfuzzy=true
(
  DeviceProcessEvents
  | where Timestamp > ago(LookbackDays)
  | where FileName in~ ("python.exe","python3.exe","pythonw.exe","python","python3")
     or InitiatingProcessFileName in~ ("python.exe","python3.exe","pythonw.exe","python","python3")
  | where ProcessCommandLine has "transformers.pyz"
     or InitiatingProcessCommandLine has "transformers.pyz"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, ActionType="ProcessCreate"
),
(
  DeviceFileEvents
  | where Timestamp > ago(LookbackDays)
  | where FileName =~ "transformers.pyz"
  | project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, FileName, ProcessCommandLine=InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256, ActionType
)
| order by Timestamp desc
```

### DNS lookup for git-tanstack.com TeamPCP C2 staging domain

`UC_255_5` · phase: **c2** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution.DNS where DNS.query="*git-tanstack.com*" OR DNS.answer="83.142.209.194" by DNS.src DNS.dest DNS.query DNS.answer DNS.record_type | `drop_dm_object_name(DNS)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
let LookbackDays = 30d;
DeviceNetworkEvents
| where Timestamp > ago(LookbackDays)
| where RemoteUrl has "git-tanstack.com" or RemoteIP == "83.142.209.194"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, Protocol, ActionType
| order by Timestamp desc
```

### Outbound connection to TeamPCP C2 IP 83.142.209.194

`UC_255_6` · phase: **c2** · confidence: **Medium** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats summariesonly=true count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest="83.142.209.194" OR All_Traffic.dest_ip="83.142.209.194" by All_Traffic.src All_Traffic.src_ip All_Traffic.dest All_Traffic.dest_port All_Traffic.transport All_Traffic.app All_Traffic.bytes_out | `drop_dm_object_name(All_Traffic)` | convert ctime(firstTime) ctime(lastTime)
```

**Defender KQL:**
```kql
let LookbackDays = 30d;
DeviceNetworkEvents
| where Timestamp > ago(LookbackDays)
| where RemoteIP == "83.142.209.194"
| project Timestamp, DeviceName, AccountName=InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl, Protocol, LocalIP, ActionType
| order by Timestamp desc
```

### Trusted vendor binary / installer launching unusual children

`UC_SUPPLY_CHAIN` · phase: **exploit** · confidence: **Medium**

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Endpoint.Processes
    where Processes.parent_process_name IN ("setup.exe","installer.exe","update.exe")
      AND Processes.process_name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe")
    by Processes.dest, Processes.user, Processes.parent_process_name, Processes.process_name, Processes.process
| `drop_dm_object_name(Processes)`
```

**Defender KQL:**
```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where AccountName !endswith "$"
| where InitiatingProcessFileName in~ ("setup.exe","installer.exe","update.exe")
| where FileName in~ ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe","wmic.exe","bitsadmin.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-45758`

- **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High**
  - IP / domain IOC(s): `83.142.209.194`, `git-tanstack.com`


## Why this matters

Severity classified as **CRIT** based on: CVE present, IOCs present, 7 use case(s) fired, 7 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.