Back to KEVs

CVE-2026-45321

Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Basic Information

CVE State
PUBLISHED
Reserved Date
May 11, 2026
Published Date
May 12, 2026
Last Updated
May 28, 2026
Vendor
@tanstack
Product
arktype-adapter, eslint-plugin-router, eslint-plugin-start, history, nitro-v2-vite-plugin, react-router, react-router-devtools, react-router-ssr-query, react-start, react-start-client, react-start-rsc, react-start-server, router-cli, router-core, router-devtools, router-devtools-core, router-generator, router-plugin, router-ssr-query-core, router-utils, outer-vite-plugin, solid-router, solid-router-devtools, solid-router-ssr-query, solid-start, solid-start-client, solid-start-server, start-client-core, start-fn-stubs, start-plugin-core, start-server-core, start-static-server-functions, start-storage-context, valibot-adapter, virtual-file-routes, vue-router, vue-router-devtools, vue-router-ssr-query, vue-start, vue-start-client, vue-start-server, zod-adapter
Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Tags
edge cisa

CVSS Scores

CVSS v3.1

9.6 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

Score
17.05% (Percentile: 95.10%) as of 2026-05-31

SSVC Information

Exploitation
active
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (2026-06-01 10:28:01 UTC) Source

References

https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx https://github.com/TanStack/router/issues/7383 https://tanstack.com/blog/npm-supply-chain-compromise-postmortem https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

Known Exploited Vulnerability Information

Source Added Date
CVE 2026-06-01 10:27:54 UTC

Recent Mentions

CISA Adds Three Known Exploited Vulnerabilities to Catalog

Source: All CISA Advisories • Published: 2026-05-27 12:00:00 UTC

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-8398 Daemon Tools Lite Embedded Malicious Code Vulnerability CVE-2026-45321 TanStack Unspecified Vulnerability CVE-2026-48027 Nx Console Embedded Malicious Code Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel