CVE-2026-45321 - Vulnerability Details

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

@tanstack

arktype-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

eslint-plugin-router

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

eslint-plugin-start

affected

Version	Status	Constraints
`0.0.4`	affected	—
`0.0.7`	affected	—

@tanstack

history

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

nitro-v2-vite-plugin

affected

Version	Status	Constraints
`1.154.12`	affected	—
`1.154.15`	affected	—

@tanstack

react-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

react-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

react-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

react-start

affected

Version	Status	Constraints
`1.167.68`	affected	—
`1.167.71`	affected	—

@tanstack

react-start-client

affected

Version	Status	Constraints
`1.166.51`	affected	—
`1.166.54`	affected	—

@tanstack

react-start-rsc

affected

Version	Status	Constraints
`0.0.47`	affected	—
`0.0.50`	affected	—

@tanstack

react-start-server

affected

Version	Status	Constraints
`1.166.55`	affected	—
`1.166.58`	affected	—

@tanstack

router-cli

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

router-core

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

router-devtools-core

affected

Version	Status	Constraints
`1.167.6`	affected	—
`1.167.9`	affected	—

@tanstack

router-generator

affected

Version	Status	Constraints
`1.166.45`	affected	—
`1.166.48`	affected	—

@tanstack

router-plugin

affected

Version	Status	Constraints
`1.167.38`	affected	—
`1.167.41`	affected	—

@tanstack

router-ssr-query-core

affected

Version	Status	Constraints
`1.168.3`	affected	—
`1.168.6`	affected	—

@tanstack

router-utils

affected

Version	Status	Constraints
`1.161.11`	affected	—
`1.161.14`	affected	—

@tanstack

outer-vite-plugin

affected

Version	Status	Constraints
`1.166.53`	affected	—
`1.166.56`	affected	—

@tanstack

solid-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

solid-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

solid-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

solid-start

affected

Version	Status	Constraints
`1.167.65`	affected	—
`1.167.68`	affected	—

@tanstack

solid-start-client

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

solid-start-server

affected

Version	Status	Constraints
`1.166.54`	affected	—
`1.166.57`	affected	—

@tanstack

start-client-core

affected

Version	Status	Constraints
`1.168.5`	affected	—
`1.168.8`	affected	—

@tanstack

start-fn-stubs

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

start-plugin-core

affected

Version	Status	Constraints
`1.169.23`	affected	—
`1.169.26`	affected	—

@tanstack

start-server-core

affected

Version	Status	Constraints
`1.167.33`	affected	—
`1.167.36`	affected	—

@tanstack

start-static-server-functions

affected

Version	Status	Constraints
`1.166.44`	affected	—
`1.166.47`	affected	—

@tanstack

start-storage-context

affected

Version	Status	Constraints
`1.166.38`	affected	—
`1.166.41`	affected	—

@tanstack

valibot-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

virtual-file-routes

affected

Version	Status	Constraints
`1.161.10`	affected	—
`1.161.13`	affected	—

@tanstack

vue-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

vue-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

vue-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

vue-start

affected

Version	Status	Constraints
`1.167.61`	affected	—
`1.167.64`	affected	—

@tanstack

vue-start-client

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

vue-start-server

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

zod-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js::

Configuration 2 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js::

Configuration 3 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js::

Configuration 4 [-]

OR	cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js::

Configuration 5 [-]

OR	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js::

Configuration 6 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js::

Configuration 7 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js::

Configuration 8 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js::

Configuration 9 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js::

Configuration 10 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js::

Configuration 11 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js::

Configuration 12 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js::

Configuration 13 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js::

Configuration 14 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js::

Configuration 15 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js::

Configuration 16 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js::

Configuration 17 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js::

Configuration 18 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js::

Configuration 19 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js::

Configuration 20 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js::

Configuration 21 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js::

Configuration 22 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js::

Configuration 23 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js::

Configuration 24 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js::

Configuration 25 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js::

Configuration 26 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js::

Configuration 27 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js::

Configuration 28 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js::

Configuration 29 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js::

Configuration 30 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js::

Configuration 31 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js::

Configuration 32 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js::

Configuration 33 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js::

Configuration 34 [-]

OR	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js::

Configuration 35 [-]

OR	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js::

Configuration 36 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js::

Configuration 37 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js::

Configuration 38 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js::

Configuration 39 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js::

Configuration 40 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js::

Configuration 41 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js::

Configuration 42 [-]

OR	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Tanstack Subscribe	Arktype-adapter Subscribe Eslint-plugin-router Subscribe Eslint-plugin-start Subscribe History Subscribe Nitro-v2-vite-plugin Subscribe Outer-vite-plugin Subscribe React-router Subscribe React-router-devtools Subscribe React-router-ssr-query Subscribe React-start Subscribe React-start-client Subscribe React-start-rsc Subscribe React-start-server Subscribe Router-cli Subscribe Router-core Subscribe Router-devtools Subscribe Router-devtools-core Subscribe Router-generator Subscribe Router-plugin Subscribe Router-ssr-query-core Subscribe Router-utils Subscribe Solid-router Subscribe Solid-router-devtools Subscribe Solid-router-ssr-query Subscribe Solid-start Subscribe Solid-start-client Subscribe Solid-start-server Subscribe Start-client-core Subscribe Start-fn-stubs Subscribe Start-plugin-core Subscribe Start-server-core Subscribe Start-static-server-functions Subscribe Start-storage-context Subscribe Valibot-adapter Subscribe Virtual-file-routes Subscribe Vue-router Subscribe Vue-router-devtools Subscribe Vue-router-ssr-query Subscribe Vue-start Subscribe Vue-start-client Subscribe Vue-start-server Subscribe Zod-adapter Subscribe

Project Subscriptions

Vendors	Products
Tanstack Subscribe	Arktype-adapter Subscribe Eslint-plugin-router Subscribe Eslint-plugin-start Subscribe History Subscribe Nitro-v2-vite-plugin Subscribe Outer-vite-plugin Subscribe React-router Subscribe React-router-devtools Subscribe React-router-ssr-query Subscribe React-start Subscribe React-start-client Subscribe React-start-rsc Subscribe React-start-server Subscribe Router-cli Subscribe Router-core Subscribe Router-devtools Subscribe Router-devtools-core Subscribe Router-generator Subscribe Router-plugin Subscribe Router-ssr-query-core Subscribe Router-utils Subscribe Solid-router Subscribe Solid-router-devtools Subscribe Solid-router-ssr-query Subscribe Solid-start Subscribe Solid-start-client Subscribe Solid-start-server Subscribe Start-client-core Subscribe Start-fn-stubs Subscribe Start-plugin-core Subscribe Start-server-core Subscribe Start-static-server-functions Subscribe Start-storage-context Subscribe Tanstack\/arktype-adapter Subscribe Tanstack\/eslint-plugin-router Subscribe Tanstack\/eslint-plugin-start Subscribe Tanstack\/history Subscribe Tanstack\/nitro-v2-vite-plugin Subscribe Tanstack\/react-router Subscribe Tanstack\/react-router-devtools Subscribe Tanstack\/react-router-ssr-query Subscribe Tanstack\/react-start Subscribe Tanstack\/react-start-client Subscribe Tanstack\/react-start-rsc Subscribe Tanstack\/react-start-server Subscribe Tanstack\/router-cli Subscribe Tanstack\/router-core Subscribe Tanstack\/router-devtools Subscribe Tanstack\/router-devtools-core Subscribe Tanstack\/router-generator Subscribe Tanstack\/router-plugin Subscribe Tanstack\/router-ssr-query-core Subscribe Tanstack\/router-utils Subscribe Tanstack\/router-vite-plugin Subscribe Tanstack\/solid-router Subscribe Tanstack\/solid-router-devtools Subscribe Tanstack\/solid-router-ssr-query Subscribe Tanstack\/solid-start Subscribe Tanstack\/solid-start-client Subscribe Tanstack\/solid-start-server Subscribe Tanstack\/start-client-core Subscribe Tanstack\/start-fn-stubs Subscribe Tanstack\/start-plugin-core Subscribe Tanstack\/start-server-core Subscribe Tanstack\/start-static-server-functions Subscribe Tanstack\/start-storage-context Subscribe Tanstack\/valibot-adapter Subscribe Tanstack\/virtual-file-routes Subscribe Tanstack\/vue-router Subscribe Tanstack\/vue-router-devtools Subscribe Tanstack\/vue-router-ssr-query Subscribe Tanstack\/vue-start Subscribe Tanstack\/vue-start-client Subscribe Tanstack\/vue-start-server Subscribe Tanstack\/zod-adapter Subscribe Valibot-adapter Subscribe Virtual-file-routes Subscribe Vue-router Subscribe Vue-router-devtools Subscribe Vue-router-ssr-query Subscribe Vue-start Subscribe Vue-start-client Subscribe Vue-start-server Subscribe Zod-adapter Subscribe

Advisories

Source	ID	Title
Github GHSA	GHSA-g7cv-rxg3-hmpx	Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/TanStack/router/issues/7383
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

History

Thu, 14 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter
CPEs		cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::
Vendors & Products		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://tanstack.com/blog/npm-supply-chain-compromise-postmortem https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter
Vendors & Products		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title		Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses		CWE-506
References		https://github.com/TanStack/router/issues/7383 https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T00:12:35.452Z

Updated: 2026-05-12T15:16:17.354Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

Vulnrichment

Updated: 2026-05-12T13:21:29.648Z

NVD

Status : Analyzed

Published: 2026-05-12T01:16:46.820

Modified: 2026-05-14T17:05:28.793

Link: CVE-2026-45321

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T09:22:12Z

Weaknesses

CWE-506

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object