On 2026-05-11, attackers chained three GitHub Actions weaknesses to publish 84 malicious, credential-stealing versions across 42 @tanstack/* npm packages under TanStack's legitimate trusted-publisher identity, and CISA added the vulnerability to its KEV catalog on 2026-05-27.
What Is It
CVE-2026-45321 is a critical (CVSS 9.6, CWE-506 Embedded Malicious Code) supply chain compromise affecting TanStack's npm publishing pipeline. Between roughly 19:20 and 19:26 UTC on 2026-05-11, 84 malicious versions across 42 @tanstack/* packages were pushed to the npm registry. The publishes authenticated successfully via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, the publish workflow itself was never modified. Instead, the attacker chained three known vulnerability classes: a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process. The stolen token was then used to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Why It Matters
CISA added CVE-2026-45321 to the Known Exploited Vulnerabilities catalog on 2026-05-27, confirming active exploitation in the wild. Because the malicious packages were published from TanStack's authentic OIDC identity, downstream consumers and provenance tooling had no signature-level signal that anything was wrong. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects a scope-changed compromise with high impact to confidentiality, integrity, and availability; typical of a credential-stealer landing in a widely used framework's dependency graph.
What's Vulnerable
The CVE enumerates specific malicious versions across the @tanstack/* namespace, including but not limited to:
@tanstack/react-router1.169.5, 1.169.8@tanstack/react-start1.167.68, 1.167.71@tanstack/react-router-devtools1.166.16, 1.166.19@tanstack/react-router-ssr-query1.166.15, 1.166.18@tanstack/react-start-client1.166.51, 1.166.54@tanstack/arktype-adapter1.166.12, 1.166.15@tanstack/eslint-plugin-router1.161.9, 1.161.12@tanstack/eslint-plugin-start0.0.4, 0.0.7@tanstack/history1.161.9, 1.161.12@tanstack/nitro-v2-vite-plugin1.154.12, 1.154.15@tanstack/react-start-rsc0.0.47
Each listed package received exactly two malicious versions published a few minutes apart in the 2026-05-11 window.
Patch Status
Per CISA's required action, federal civilian agencies must apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. The due date is 2026-06-10. Consumers should pin away from the enumerated malicious versions, audit lockfiles and CI caches for the affected @tanstack/* releases, and rotate any secrets that may have been exposed by builds pulling the poisoned packages.