CVE-2026-45321 - Vulnerability Details

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Tanstack	Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Tanstack\/arktype-adapter Tanstack\/eslint-plugin-router Tanstack\/eslint-plugin-start Tanstack\/history Tanstack\/nitro-v2-vite-plugin Tanstack\/react-router Tanstack\/react-router-devtools Tanstack\/react-router-ssr-query Tanstack\/react-start Tanstack\/react-start-client Tanstack\/react-start-rsc Tanstack\/react-start-server Tanstack\/router-cli Tanstack\/router-core Tanstack\/router-devtools Tanstack\/router-devtools-core Tanstack\/router-generator Tanstack\/router-plugin Tanstack\/router-ssr-query-core Tanstack\/router-utils Tanstack\/router-vite-plugin Tanstack\/solid-router Tanstack\/solid-router-devtools Tanstack\/solid-router-ssr-query Tanstack\/solid-start Tanstack\/solid-start-client Tanstack\/solid-start-server Tanstack\/start-client-core Tanstack\/start-fn-stubs Tanstack\/start-plugin-core Tanstack\/start-server-core Tanstack\/start-static-server-functions Tanstack\/start-storage-context Tanstack\/valibot-adapter Tanstack\/virtual-file-routes Tanstack\/vue-router Tanstack\/vue-router-devtools Tanstack\/vue-router-ssr-query Tanstack\/vue-start Tanstack\/vue-start-client Tanstack\/vue-start-server Tanstack\/zod-adapter Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter

Configuration 1 [-]

OR	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js::

Configuration 2 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js::

Configuration 3 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js::

Configuration 4 [-]

OR	cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js::

Configuration 5 [-]

OR	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js::

Configuration 6 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js::

Configuration 7 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js::

Configuration 8 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js::

Configuration 9 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js::

Configuration 10 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js::

Configuration 11 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js::

Configuration 12 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js::

Configuration 13 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js::

Configuration 14 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js::

Configuration 15 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js::

Configuration 16 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js::

Configuration 17 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js::

Configuration 18 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js::

Configuration 19 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js::

Configuration 20 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js::

Configuration 21 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js::

Configuration 22 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js::

Configuration 23 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js::

Configuration 24 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js::

Configuration 25 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js::

Configuration 26 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js::

Configuration 27 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js::

Configuration 28 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js::

Configuration 29 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js::

Configuration 30 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js::

Configuration 31 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js::

Configuration 32 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js::

Configuration 33 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js::

Configuration 34 [-]

OR	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js::

Configuration 35 [-]

OR	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js::

Configuration 36 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js::

Configuration 37 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js::

Configuration 38 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js::

Configuration 39 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js::

Configuration 40 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js::

Configuration 41 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js::

Configuration 42 [-]

OR	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Tanstack	Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter

References

Link	Providers
https://github.com/TanStack/router/issues/7383
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

History

Thu, 14 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter
CPEs		cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::
Vendors & Products		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://tanstack.com/blog/npm-supply-chain-compromise-postmortem https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter
Vendors & Products		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title		Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses		CWE-506
References		https://github.com/TanStack/router/issues/7383 https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T00:12:35.452Z

Updated: 2026-05-12T15:16:17.354Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

Vulnrichment

Updated: 2026-05-12T13:21:29.648Z

NVD

Status : Analyzed

Published: 2026-05-12T01:16:46.820

Modified: 2026-05-14T17:05:28.793

Link: CVE-2026-45321

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:22:12Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object