CVE-2026-45321 - Vulnerability Details

- Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Published: 2026-05-12

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

@tanstack

arktype-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

eslint-plugin-router

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

eslint-plugin-start

affected

Version	Status	Constraints
`0.0.4`	affected	—
`0.0.7`	affected	—

@tanstack

history

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

nitro-v2-vite-plugin

affected

Version	Status	Constraints
`1.154.12`	affected	—
`1.154.15`	affected	—

@tanstack

react-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

react-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

react-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

react-start

affected

Version	Status	Constraints
`1.167.68`	affected	—
`1.167.71`	affected	—

@tanstack

react-start-client

affected

Version	Status	Constraints
`1.166.51`	affected	—
`1.166.54`	affected	—

@tanstack

react-start-rsc

affected

Version	Status	Constraints
`0.0.47`	affected	—
`0.0.50`	affected	—

@tanstack

react-start-server

affected

Version	Status	Constraints
`1.166.55`	affected	—
`1.166.58`	affected	—

@tanstack

router-cli

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

router-core

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

router-devtools-core

affected

Version	Status	Constraints
`1.167.6`	affected	—
`1.167.9`	affected	—

@tanstack

router-generator

affected

Version	Status	Constraints
`1.166.45`	affected	—
`1.166.48`	affected	—

@tanstack

router-plugin

affected

Version	Status	Constraints
`1.167.38`	affected	—
`1.167.41`	affected	—

@tanstack

router-ssr-query-core

affected

Version	Status	Constraints
`1.168.3`	affected	—
`1.168.6`	affected	—

@tanstack

router-utils

affected

Version	Status	Constraints
`1.161.11`	affected	—
`1.161.14`	affected	—

@tanstack

outer-vite-plugin

affected

Version	Status	Constraints
`1.166.53`	affected	—
`1.166.56`	affected	—

@tanstack

solid-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

solid-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

solid-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

solid-start

affected

Version	Status	Constraints
`1.167.65`	affected	—
`1.167.68`	affected	—

@tanstack

solid-start-client

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

solid-start-server

affected

Version	Status	Constraints
`1.166.54`	affected	—
`1.166.57`	affected	—

@tanstack

start-client-core

affected

Version	Status	Constraints
`1.168.5`	affected	—
`1.168.8`	affected	—

@tanstack

start-fn-stubs

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

start-plugin-core

affected

Version	Status	Constraints
`1.169.23`	affected	—
`1.169.26`	affected	—

@tanstack

start-server-core

affected

Version	Status	Constraints
`1.167.33`	affected	—
`1.167.36`	affected	—

@tanstack

start-static-server-functions

affected

Version	Status	Constraints
`1.166.44`	affected	—
`1.166.47`	affected	—

@tanstack

start-storage-context

affected

Version	Status	Constraints
`1.166.38`	affected	—
`1.166.41`	affected	—

@tanstack

valibot-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

virtual-file-routes

affected

Version	Status	Constraints
`1.161.10`	affected	—
`1.161.13`	affected	—

@tanstack

vue-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

vue-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

vue-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

vue-start

affected

Version	Status	Constraints
`1.167.61`	affected	—
`1.167.64`	affected	—

@tanstack

vue-start-client

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

vue-start-server

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

zod-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js::

Configuration 2 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js::

Configuration 3 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js::

Configuration 4 [-]

OR	cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js::

Configuration 5 [-]

OR	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js::

Configuration 6 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js::

Configuration 7 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js::

Configuration 8 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js::

Configuration 9 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js::

Configuration 10 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js::

Configuration 11 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js::

Configuration 12 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js::

Configuration 13 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js::

Configuration 14 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js::

Configuration 15 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js::

Configuration 16 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js::

Configuration 17 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js::

Configuration 18 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js::

Configuration 19 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js::

Configuration 20 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js::

Configuration 21 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js::

Configuration 22 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js::

Configuration 23 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js::

Configuration 24 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js::

Configuration 25 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js::

Configuration 26 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js::

Configuration 27 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js::

Configuration 28 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js::

Configuration 29 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js::

Configuration 30 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js::

Configuration 31 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js::

Configuration 32 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js::

Configuration 33 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js::

Configuration 34 [-]

OR	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js::

Configuration 35 [-]

OR	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js::

Configuration 36 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js::

Configuration 37 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js::

Configuration 38 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js::

Configuration 39 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js::

Configuration 40 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js::

Configuration 41 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js::

Configuration 42 [-]

OR	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::

No data.

Vendor Product Confidence Versions

Tanstack

Arktype-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Tanstack

Eslint-plugin-router

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Eslint-plugin-start

100%

Version	Status	Scheme	Platform
`0.0.4`	affected	semver	—
`0.0.7`	affected	semver	—

Tanstack

History

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Nitro-v2-vite-plugin

100%

Version	Status	Scheme	Platform
`1.154.12`	affected	semver	—
`1.154.15`	affected	semver	—

Tanstack

Outer-vite-plugin

100%

Version	Status	Scheme	Platform
`1.166.53`	affected	semver	—
`1.166.56`	affected	semver	—

Tanstack

React-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

React-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

React-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

React-start

100%

Version	Status	Scheme	Platform
`1.167.68`	affected	semver	—
`1.167.71`	affected	semver	—

Tanstack

React-start-client

100%

Version	Status	Scheme	Platform
`1.166.51`	affected	semver	—
`1.166.54`	affected	semver	—

Tanstack

React-start-rsc

100%

Version	Status	Scheme	Platform
`0.0.47`	affected	semver	—
`0.0.50`	affected	semver	—

Tanstack

React-start-server

100%

Version	Status	Scheme	Platform
`1.166.55`	affected	semver	—
`1.166.58`	affected	semver	—

Tanstack

Router-cli

100%

Version	Status	Scheme	Platform
`1.166.46`	affected	semver	—
`1.166.49`	affected	semver	—

Tanstack

Router-core

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Router-devtools-core

100%

Version	Status	Scheme	Platform
`1.167.6`	affected	semver	—
`1.167.9`	affected	semver	—

Tanstack

Router-generator

100%

Version	Status	Scheme	Platform
`1.166.45`	affected	semver	—
`1.166.48`	affected	semver	—

Tanstack

Router-plugin

100%

Version	Status	Scheme	Platform
`1.167.38`	affected	semver	—
`1.167.41`	affected	semver	—

Tanstack

Router-ssr-query-core

100%

Version	Status	Scheme	Platform
`1.168.3`	affected	semver	—
`1.168.6`	affected	semver	—

Tanstack

Router-utils

100%

Version	Status	Scheme	Platform
`1.161.11`	affected	semver	—
`1.161.14`	affected	semver	—

Tanstack

Solid-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Solid-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Solid-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

Solid-start

100%

Version	Status	Scheme	Platform
`1.167.65`	affected	semver	—
`1.167.68`	affected	semver	—

Tanstack

Solid-start-client

100%

Version	Status	Scheme	Platform
`1.166.50`	affected	semver	—
`1.166.53`	affected	semver	—

Tanstack

Solid-start-server

100%

Version	Status	Scheme	Platform
`1.166.54`	affected	semver	—
`1.166.57`	affected	semver	—

Tanstack

Start-client-core

100%

Version	Status	Scheme	Platform
`1.168.5`	affected	semver	—
`1.168.8`	affected	semver	—

Tanstack

Start-fn-stubs

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Start-plugin-core

100%

Version	Status	Scheme	Platform
`1.169.23`	affected	semver	—
`1.169.26`	affected	semver	—

Tanstack

Start-server-core

100%

Version	Status	Scheme	Platform
`1.167.33`	affected	semver	—
`1.167.36`	affected	semver	—

Tanstack

Start-static-server-functions

100%

Version	Status	Scheme	Platform
`1.166.44`	affected	semver	—
`1.166.47`	affected	semver	—

Tanstack

Start-storage-context

100%

Version	Status	Scheme	Platform
`1.166.38`	affected	semver	—
`1.166.41`	affected	semver	—

Tanstack

Valibot-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Tanstack

Virtual-file-routes

100%

Version	Status	Scheme	Platform
`1.161.10`	affected	semver	—
`1.161.13`	affected	semver	—

Tanstack

Vue-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Vue-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Vue-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

Vue-start

100%

Version	Status	Scheme	Platform
`1.167.61`	affected	semver	—
`1.167.64`	affected	semver	—

Tanstack

Vue-start-client

100%

Version	Status	Scheme	Platform
`1.166.46`	affected	semver	—
`1.166.49`	affected	semver	—

Tanstack

Vue-start-server

100%

Version	Status	Scheme	Platform
`1.166.50`	affected	semver	—
`1.166.53`	affected	semver	—

Tanstack

Zod-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g7cv-rxg3-hmpx	Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00043.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/TanStack/router/issues/7383
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

History

Thu, 14 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter
CPEs		cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::
Vendors & Products		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://tanstack.com/blog/npm-supply-chain-compromise-postmortem https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter
Vendors & Products		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title		Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses		CWE-506
References		https://github.com/TanStack/router/issues/7383 https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Tanstack Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Tanstack\/arktype-adapter Tanstack\/eslint-plugin-router Tanstack\/eslint-plugin-start Tanstack\/history Tanstack\/nitro-v2-vite-plugin Tanstack\/react-router Tanstack\/react-router-devtools Tanstack\/react-router-ssr-query Tanstack\/react-start Tanstack\/react-start-client Tanstack\/react-start-rsc Tanstack\/react-start-server Tanstack\/router-cli Tanstack\/router-core Tanstack\/router-devtools Tanstack\/router-devtools-core Tanstack\/router-generator Tanstack\/router-plugin Tanstack\/router-ssr-query-core Tanstack\/router-utils Tanstack\/router-vite-plugin Tanstack\/solid-router Tanstack\/solid-router-devtools Tanstack\/solid-router-ssr-query Tanstack\/solid-start Tanstack\/solid-start-client Tanstack\/solid-start-server Tanstack\/start-client-core Tanstack\/start-fn-stubs Tanstack\/start-plugin-core Tanstack\/start-server-core Tanstack\/start-static-server-functions Tanstack\/start-storage-context Tanstack\/valibot-adapter Tanstack\/virtual-file-routes Tanstack\/vue-router Tanstack\/vue-router-devtools Tanstack\/vue-router-ssr-query Tanstack\/vue-start Tanstack\/vue-start-client Tanstack\/vue-start-server Tanstack\/zod-adapter Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T00:12:35.452Z

Updated: 2026-05-12T15:16:17.354Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

Vulnrichment

Updated: 2026-05-12T13:21:29.648Z

NVD

Status : Analyzed

Published: 2026-05-12T01:16:46.820

Modified: 2026-05-14T17:05:28.793

Link: CVE-2026-45321

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:22:12Z

Weaknesses

CWE-506

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object