Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an attacker publishing malicious versions of 42 @tanstack/* packages with legitimate GitHub Actions OIDC credentials. The attacker leveraged misconfigurations in pull_request_target workflows, cache poisoning across fork‑to‑base trust boundaries, and extraction of OIDC tokens from runner processes to embed credential‑stealing malware. The result was the exfiltration of cloud credentials, GitHub tokens, and SSH keys to the attacker. This is a high‑impact breach of confidentiality, categorized as CWE‑506.

Affected Systems

Affected products include every @tanstack package listed in the vulnerability, such as arktype-adapter, eslint‑plugin‑router, react‑router, solid‑router, vue‑router, and others. In total, 84 malicious versions were released, exactly two for each of the 42 packages. No specific version numbers are provided in the advisory, but all releases published between 2026‑05‑11 19:20 and 19:26 UTC should be treated as compromised.

Risk and Exploitability

The CVSS score of 9.6 reflects a severe threat with high impact on confidentiality and potential widespread compromise. EPSS is not available, so the exploitation probability is unknown, but the risk is high because the attacker used a legitimate publisher identity and had successful direct access to the npm registry. The vulnerability is not listed in CISA KEV at this time. Exploitation requires three coordinated misconfigurations: an unprotected pull_request_target, cache poisoning across fork boundaries, and memory read of OIDC tokens, after which the malicious packages can be distributed to any consumer who installs them.

Generated by OpenCVE AI on May 12, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Uninstall or downgrade the compromised @tanstack packages and verify lockfile integrity
  • Update to the latest non‑malicious releases released by TanStack following the official advisories
  • Configure your GitHub Actions workflows to disallow pull_request_target usage and harden OIDC token handling
  • Enable npm package signing or integrity checks and verify signatures before installation

Generated by OpenCVE AI on May 12, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g7cv-rxg3-hmpx Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tanstack
Tanstack arktype-adapter
Tanstack eslint-plugin-router
Tanstack eslint-plugin-start
Tanstack history
Tanstack nitro-v2-vite-plugin
Tanstack outer-vite-plugin
Tanstack react-router
Tanstack react-router-devtools
Tanstack react-router-ssr-query
Tanstack react-start
Tanstack react-start-client
Tanstack react-start-rsc
Tanstack react-start-server
Tanstack router-cli
Tanstack router-core
Tanstack router-devtools
Tanstack router-devtools-core
Tanstack router-generator
Tanstack router-plugin
Tanstack router-ssr-query-core
Tanstack router-utils
Tanstack solid-router
Tanstack solid-router-devtools
Tanstack solid-router-ssr-query
Tanstack solid-start
Tanstack solid-start-client
Tanstack solid-start-server
Tanstack start-client-core
Tanstack start-fn-stubs
Tanstack start-plugin-core
Tanstack start-server-core
Tanstack start-static-server-functions
Tanstack start-storage-context
Tanstack valibot-adapter
Tanstack virtual-file-routes
Tanstack vue-router
Tanstack vue-router-devtools
Tanstack vue-router-ssr-query
Tanstack vue-start
Tanstack vue-start-client
Tanstack vue-start-server
Tanstack zod-adapter
Vendors & Products Tanstack
Tanstack arktype-adapter
Tanstack eslint-plugin-router
Tanstack eslint-plugin-start
Tanstack history
Tanstack nitro-v2-vite-plugin
Tanstack outer-vite-plugin
Tanstack react-router
Tanstack react-router-devtools
Tanstack react-router-ssr-query
Tanstack react-start
Tanstack react-start-client
Tanstack react-start-rsc
Tanstack react-start-server
Tanstack router-cli
Tanstack router-core
Tanstack router-devtools
Tanstack router-devtools-core
Tanstack router-generator
Tanstack router-plugin
Tanstack router-ssr-query-core
Tanstack router-utils
Tanstack solid-router
Tanstack solid-router-devtools
Tanstack solid-router-ssr-query
Tanstack solid-start
Tanstack solid-start-client
Tanstack solid-start-server
Tanstack start-client-core
Tanstack start-fn-stubs
Tanstack start-plugin-core
Tanstack start-server-core
Tanstack start-static-server-functions
Tanstack start-storage-context
Tanstack valibot-adapter
Tanstack virtual-file-routes
Tanstack vue-router
Tanstack vue-router-devtools
Tanstack vue-router-ssr-query
Tanstack vue-start
Tanstack vue-start-client
Tanstack vue-start-server
Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses CWE-506
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Tanstack Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T00:12:35.452Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T01:16:46.820

Modified: 2026-05-12T01:16:46.820

Link: CVE-2026-45321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:12Z

Weaknesses