CVE-2026-45321

Published: May 12, 2026

Modified: May 28, 2026

PUBLISHED

CVSS v3.1

9.6

CRITICAL

Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Vendor	Product	Versions
@tanstack	arktype-adapter	affected `1.166.12` affected `1.166.15`
@tanstack	eslint-plugin-router	affected `1.161.9` affected `1.161.12`
@tanstack	eslint-plugin-start	affected `0.0.4` affected `0.0.7`
@tanstack	history	affected `1.161.9` affected `1.161.12`
@tanstack	nitro-v2-vite-plugin	affected `1.154.12` affected `1.154.15`
@tanstack	react-router	affected `1.169.5` affected `1.169.8`
@tanstack	react-router-devtools	affected `1.166.16` affected `1.166.19`
@tanstack	react-router-ssr-query	affected `1.166.15` affected `1.166.18`
@tanstack	react-start	affected `1.167.68` affected `1.167.71`
@tanstack	react-start-client	affected `1.166.51` affected `1.166.54`
@tanstack	react-start-rsc	affected `0.0.47` affected `0.0.50`
@tanstack	react-start-server	affected `1.166.55` affected `1.166.58`
@tanstack	router-cli	affected `1.166.46` affected `1.166.49`
@tanstack	router-core	affected `1.169.5` affected `1.169.8`
@tanstack	router-devtools	affected `1.166.16` affected `1.166.19`
@tanstack	router-devtools-core	affected `1.167.6` affected `1.167.9`
@tanstack	router-generator	affected `1.166.45` affected `1.166.48`
@tanstack	router-plugin	affected `1.167.38` affected `1.167.41`
@tanstack	router-ssr-query-core	affected `1.168.3` affected `1.168.6`
@tanstack	router-utils	affected `1.161.11` affected `1.161.14`
@tanstack	outer-vite-plugin	affected `1.166.53` affected `1.166.56`
@tanstack	solid-router	affected `1.169.5` affected `1.169.8`
@tanstack	solid-router-devtools	affected `1.166.16` affected `1.166.19`
@tanstack	solid-router-ssr-query	affected `1.166.15` affected `1.166.18`
@tanstack	solid-start	affected `1.167.65` affected `1.167.68`
@tanstack	solid-start-client	affected `1.166.50` affected `1.166.53`
@tanstack	solid-start-server	affected `1.166.54` affected `1.166.57`
@tanstack	start-client-core	affected `1.168.5` affected `1.168.8`
@tanstack	start-fn-stubs	affected `1.161.9` affected `1.161.12`
@tanstack	start-plugin-core	affected `1.169.23` affected `1.169.26`
@tanstack	start-server-core	affected `1.167.33` affected `1.167.36`
@tanstack	start-static-server-functions	affected `1.166.44` affected `1.166.47`
@tanstack	start-storage-context	affected `1.166.38` affected `1.166.41`
@tanstack	valibot-adapter	affected `1.166.12` affected `1.166.15`
@tanstack	virtual-file-routes	affected `1.161.10` affected `1.161.13`
@tanstack	vue-router	affected `1.169.5` affected `1.169.8`
@tanstack	vue-router-devtools	affected `1.166.16` affected `1.166.19`
@tanstack	vue-router-ssr-query	affected `1.166.15` affected `1.166.18`
@tanstack	vue-start	affected `1.167.61` affected `1.167.64`
@tanstack	vue-start-client	affected `1.166.46` affected `1.166.49`
@tanstack	vue-start-server	affected `1.166.50` affected `1.166.53`
@tanstack	zod-adapter	affected `1.166.12` affected `1.166.15`