{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45321","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-05-11T20:50:30.539Z","datePublished":"2026-05-12T00:12:35.452Z","dateUpdated":"2026-05-28T03:55:26.991Z"},"containers":{"cna":{"title":"Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys","problemTypes":[{"descriptions":[{"cweId":"CWE-506","lang":"en","description":"CWE-506: Embedded Malicious Code","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"name":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx","tags":["x_refsource_CONFIRM"],"url":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx"},{"name":"https://github.com/TanStack/router/issues/7383","tags":["x_refsource_MISC"],"url":"https://github.com/TanStack/router/issues/7383"},{"name":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem","tags":["x_refsource_MISC"],"url":"https://tanstack.com/blog/npm-supply-chain-compromise-postmortem"},{"name":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem","tags":["x_refsource_MISC"],"url":"https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem"}],"affected":[{"vendor":"@tanstack","product":"arktype-adapter","versions":[{"version":"1.166.12","status":"affected"},{"version":"1.166.15","status":"affected"}]},{"vendor":"@tanstack","product":"eslint-plugin-router","versions":[{"version":"1.161.9","status":"affected"},{"version":"1.161.12","status":"affected"}]},{"vendor":"@tanstack","product":"eslint-plugin-start","versions":[{"version":"0.0.4","status":"affected"},{"version":"0.0.7","status":"affected"}]},{"vendor":"@tanstack","product":"history","versions":[{"version":"1.161.9","status":"affected"},{"version":"1.161.12","status":"affected"}]},{"vendor":"@tanstack","product":"nitro-v2-vite-plugin","versions":[{"version":"1.154.12","status":"affected"},{"version":"1.154.15","status":"affected"}]},{"vendor":"@tanstack","product":"react-router","versions":[{"version":"1.169.5","status":"affected"},{"version":"1.169.8","status":"affected"}]},{"vendor":"@tanstack","product":"react-router-devtools","versions":[{"version":"1.166.16","status":"affected"},{"version":"1.166.19","status":"affected"}]},{"vendor":"@tanstack","product":"react-router-ssr-query","versions":[{"version":"1.166.15","status":"affected"},{"version":"1.166.18","status":"affected"}]},{"vendor":"@tanstack","product":"react-start","versions":[{"version":"1.167.68","status":"affected"},{"version":"1.167.71","status":"affected"}]},{"vendor":"@tanstack","product":"react-start-client","versions":[{"version":"1.166.51","status":"affected"},{"version":"1.166.54","status":"affected"}]},{"vendor":"@tanstack","product":"react-start-rsc","versions":[{"version":"0.0.47","status":"affected"},{"version":"0.0.50","status":"affected"}]},{"vendor":"@tanstack","product":"react-start-server","versions":[{"version":"1.166.55","status":"affected"},{"version":"1.166.58","status":"affected"}]},{"vendor":"@tanstack","product":"router-cli","versions":[{"version":"1.166.46","status":"affected"},{"version":"1.166.49","status":"affected"}]},{"vendor":"@tanstack","product":"router-core","versions":[{"version":"1.169.5","status":"affected"},{"version":"1.169.8","status":"affected"}]},{"vendor":"@tanstack","product":"router-devtools","versions":[{"version":"1.166.16","status":"affected"},{"version":"1.166.19","status":"affected"}]},{"vendor":"@tanstack","product":"router-devtools-core","versions":[{"version":"1.167.6","status":"affected"},{"version":"1.167.9","status":"affected"}]},{"vendor":"@tanstack","product":"router-generator","versions":[{"version":"1.166.45","status":"affected"},{"version":"1.166.48","status":"affected"}]},{"vendor":"@tanstack","product":"router-plugin","versions":[{"version":"1.167.38","status":"affected"},{"version":"1.167.41","status":"affected"}]},{"vendor":"@tanstack","product":"router-ssr-query-core","versions":[{"version":"1.168.3","status":"affected"},{"version":"1.168.6","status":"affected"}]},{"vendor":"@tanstack","product":"router-utils","versions":[{"version":"1.161.11","status":"affected"},{"version":"1.161.14","status":"affected"}]},{"vendor":"@tanstack","product":"outer-vite-plugin","versions":[{"version":"1.166.53","status":"affected"},{"version":"1.166.56","status":"affected"}]},{"vendor":"@tanstack","product":"solid-router","versions":[{"version":"1.169.5","status":"affected"},{"version":"1.169.8","status":"affected"}]},{"vendor":"@tanstack","product":"solid-router-devtools","versions":[{"version":"1.166.16","status":"affected"},{"version":"1.166.19","status":"affected"}]},{"vendor":"@tanstack","product":"solid-router-ssr-query","versions":[{"version":"1.166.15","status":"affected"},{"version":"1.166.18","status":"affected"}]},{"vendor":"@tanstack","product":"solid-start","versions":[{"version":"1.167.65","status":"affected"},{"version":"1.167.68","status":"affected"}]},{"vendor":"@tanstack","product":"solid-start-client","versions":[{"version":"1.166.50","status":"affected"},{"version":"1.166.53","status":"affected"}]},{"vendor":"@tanstack","product":"solid-start-server","versions":[{"version":"1.166.54","status":"affected"},{"version":"1.166.57","status":"affected"}]},{"vendor":"@tanstack","product":"start-client-core","versions":[{"version":"1.168.5","status":"affected"},{"version":"1.168.8","status":"affected"}]},{"vendor":"@tanstack","product":"start-fn-stubs","versions":[{"version":"1.161.9","status":"affected"},{"version":"1.161.12","status":"affected"}]},{"vendor":"@tanstack","product":"start-plugin-core","versions":[{"version":"1.169.23","status":"affected"},{"version":"1.169.26","status":"affected"}]},{"vendor":"@tanstack","product":"start-server-core","versions":[{"version":"1.167.33","status":"affected"},{"version":"1.167.36","status":"affected"}]},{"vendor":"@tanstack","product":"start-static-server-functions","versions":[{"version":"1.166.44","status":"affected"},{"version":"1.166.47","status":"affected"}]},{"vendor":"@tanstack","product":"start-storage-context","versions":[{"version":"1.166.38","status":"affected"},{"version":"1.166.41","status":"affected"}]},{"vendor":"@tanstack","product":"valibot-adapter","versions":[{"version":"1.166.12","status":"affected"},{"version":"1.166.15","status":"affected"}]},{"vendor":"@tanstack","product":"virtual-file-routes","versions":[{"version":"1.161.10","status":"affected"},{"version":"1.161.13","status":"affected"}]},{"vendor":"@tanstack","product":"vue-router","versions":[{"version":"1.169.5","status":"affected"},{"version":"1.169.8","status":"affected"}]},{"vendor":"@tanstack","product":"vue-router-devtools","versions":[{"version":"1.166.16","status":"affected"},{"version":"1.166.19","status":"affected"}]},{"vendor":"@tanstack","product":"vue-router-ssr-query","versions":[{"version":"1.166.15","status":"affected"},{"version":"1.166.18","status":"affected"}]},{"vendor":"@tanstack","product":"vue-start","versions":[{"version":"1.167.61","status":"affected"},{"version":"1.167.64","status":"affected"}]},{"vendor":"@tanstack","product":"vue-start-client","versions":[{"version":"1.166.46","status":"affected"},{"version":"1.166.49","status":"affected"}]},{"vendor":"@tanstack","product":"vue-start-server","versions":[{"version":"1.166.50","status":"affected"},{"version":"1.166.53","status":"affected"}]},{"vendor":"@tanstack","product":"zod-adapter","versions":[{"version":"1.166.12","status":"affected"},{"version":"1.166.15","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-05-12T15:16:17.354Z"},"descriptions":[{"lang":"en","value":"On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart."}],"source":{"advisory":"GHSA-g7cv-rxg3-hmpx","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321","tags":["government-resource"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-27T00:00:00+00:00","options":[{"Exploitation":"active"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-45321"}}},{"other":{"type":"kev","content":{"dateAdded":"2026-05-27","reference":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-28T03:55:26.991Z"},"timeline":[{"time":"2026-05-27T00:00:00.000Z","lang":"en","value":"CVE-2026-45321 added to CISA KEV"}]}]}}