JustAppSec
CRITICAL SeverityCVSS 3.19.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVE-2026-45321

Last updated May 12, 2026 · Published May 12, 2026

← Back to list

Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Affected products

1 listed
  • @tanstack:arktype-adapter; @tanstack:eslint-plugin-router; @tanstack:eslint-plugin-start; @tanstack:history; @tanstack:nitro-v2-vite-plugin; @tanstack:outer-vite-plugin; @tanstack:react-router; @tanstack:react-router-devtools; @tanstack:react-router-ssr-query; @tanstack:react-start; @tanstack:react-start-client; @tanstack:react-start-rsc; @tanstack:react-start-server; @tanstack:router-cli; @tanstack:router-core; @tanstack:router-devtools; @tanstack:router-devtools-core; @tanstack:router-generator; @tanstack:router-plugin; @tanstack:router-ssr-query-core; @tanstack:router-utils; @tanstack:solid-router; @tanstack:solid-router-devtools; @tanstack:solid-router-ssr-query; @tanstack:solid-start; @tanstack:solid-start-client; @tanstack:solid-start-server; @tanstack:start-client-core; @tanstack:start-fn-stubs; @tanstack:start-plugin-core; @tanstack:start-server-core; @tanstack:start-static-server-functions; @tanstack:start-storage-context; @tanstack:valibot-adapter; @tanstack:virtual-file-routes; @tanstack:vue-router; @tanstack:vue-router-devtools; @tanstack:vue-router-ssr-query; @tanstack:vue-start; @tanstack:vue-start-client; @tanstack:vue-start-server; @tanstack:zod-adapter

Mappings

CWE

CWE-506

CAPEC

None listed.

Related

Guides

Training

CVE® content © MITRE Corporation. Licensed under the CVE Terms of Use. Terms

Need help?Get in touch.