HarborGuard / CVE
Back to search
CRITICALCVE-2026-45321Published Modified CNA GitHub_M

CVE-2026-45321: Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
42
Affected packages
  • @tanstack / arktype-adapter
    1.166.12 · 1.166.15
  • @tanstack / eslint-plugin-router
    1.161.9 · 1.161.12
  • @tanstack / eslint-plugin-start
    0.0.4 · 0.0.7
  • @tanstack / history
    1.161.9 · 1.161.12
  • @tanstack / nitro-v2-vite-plugin
    1.154.12 · 1.154.15
  • @tanstack / react-router
    1.169.5 · 1.169.8
  • @tanstack / react-router-devtools
    1.166.16 · 1.166.19
  • @tanstack / react-router-ssr-query
    1.166.15 · 1.166.18
  • @tanstack / react-start
    1.167.68 · 1.167.71
  • @tanstack / react-start-client
    1.166.51 · 1.166.54
  • @tanstack / react-start-rsc
    0.0.47 · 0.0.50
  • @tanstack / react-start-server
    1.166.55 · 1.166.58
  • @tanstack / router-cli
    1.166.46 · 1.166.49
  • @tanstack / router-core
    1.169.5 · 1.169.8
  • @tanstack / router-devtools
    1.166.16 · 1.166.19
  • @tanstack / router-devtools-core
    1.167.6 · 1.167.9
  • @tanstack / router-generator
    1.166.45 · 1.166.48
  • @tanstack / router-plugin
    1.167.38 · 1.167.41
  • @tanstack / router-ssr-query-core
    1.168.3 · 1.168.6
  • @tanstack / router-utils
    1.161.11 · 1.161.14
  • @tanstack / outer-vite-plugin
    1.166.53 · 1.166.56
  • @tanstack / solid-router
    1.169.5 · 1.169.8
  • @tanstack / solid-router-devtools
    1.166.16 · 1.166.19
  • @tanstack / solid-router-ssr-query
    1.166.15 · 1.166.18
  • @tanstack / solid-start
    1.167.65 · 1.167.68
  • @tanstack / solid-start-client
    1.166.50 · 1.166.53
  • @tanstack / solid-start-server
    1.166.54 · 1.166.57
  • @tanstack / start-client-core
    1.168.5 · 1.168.8
  • @tanstack / start-fn-stubs
    1.161.9 · 1.161.12
  • @tanstack / start-plugin-core
    1.169.23 · 1.169.26
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References