Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Published: 2026-05-12
Score: 9.6 Critical
EPSS: 17.1% Moderate
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an attacker publishing malicious versions of 42 @tanstack/* packages with legitimate GitHub Actions OIDC credentials. The attacker leveraged misconfigurations in pull_request_target workflows, cache poisoning across fork‑to‑base trust boundaries, and extraction of OIDC tokens from runner processes to embed credential‑stealing malware. The result was the exfiltration of cloud credentials, GitHub tokens, and SSH keys to the attacker. This is a high‑impact breach of confidentiality, categorized as CWE‑506.

Affected Systems

Affected products include every @tanstack package listed in the vulnerability, such as arktype‑adapter, eslint‑plugin‑router, react‑router, solid‑router, vue‑router, and others. In total, 84 malicious versions were released, exactly two for each of the 42 packages. No specific version numbers are provided in the advisory, but all releases published between 2026‑05‑11 19:20 and 19:26 UTC should be treated as compromised.

Risk and Exploitability

The CVSS score of 9.6 reflects a severe threat with high impact on confidentiality and potential widespread compromise. The EPSS score of 17% indicates the probability of exploitation is moderate, reflecting a higher likelihood that npm consumers could be affected when malicious versions are published. The vulnerability is listed in the CISA KEV catalog and requires coordinated misconfigurations—unprotected pull_request_target, cache poisoning across fork‑to‑base trust boundaries, and memory extraction of OIDC tokens—to be deployed. Once a malicious version is published, any consumer installing the affected @tanstack/* package immediately introduces credential‑stealing malware into their environment.

Generated by OpenCVE AI on May 30, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Uninstall or downgrade the compromised @tanstack packages and verify lockfile integrity
  • Update to the latest non‑malicious releases released by TanStack following the official advisories
  • Configure your GitHub Actions workflows to disallow pull_request_target usage and harden OIDC token handling
  • Enable npm package signing or integrity checks and verify signatures before installation

Generated by OpenCVE AI on May 30, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g7cv-rxg3-hmpx Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Abhishake1
Abhishake1 supersurkhet\/cli
Abhishake1 supersurkhet\/sdk
Abhishake1 taskflow-corp\/cli
Agentworkhq
Agentworkhq agentwork-cli
Antoinebcx
Antoinebcx ml-toolkit-ts
Antoinebcx ml-toolkit-ts\/preprocessing
Antoinebcx ml-toolkit-ts\/xgboost
Beproduct
Beproduct beproduct\/nestjs-auth
Christianalares
Christianalares git-git-git
Christianalares git Branch Selector
Christianalares nextmove-mcp
Christianalares tolka\/cli
Dirigible
Dirigible dirigible-ai\/sdk
Guardrailsai
Guardrailsai guardrails Ai
Kilbot
Kilbot tallyui\/components
Kilbot tallyui\/connector-medusa
Kilbot tallyui\/connector-shopify
Kilbot tallyui\/connector-vendure
Kilbot tallyui\/connector-woocommerce
Kilbot tallyui\/core
Kilbot tallyui\/database
Kilbot tallyui\/pos
Kilbot tallyui\/storage-sqlite
Kilbot tallyui\/theme
Linuxfoundation
Linuxfoundation opensearch
Matheuspergoli
Matheuspergoli draftauth\/client
Matheuspergoli draftauth\/core
Matheuspergoli draftlab\/auth
Matheuspergoli draftlab\/auth-router
Matheuspergoli draftlab\/db
Matheuspergoli simple Type-safe Actions
Mesa
Mesa mesadev\/rest
Mesa mesadev\/saguaro
Mesa mesadev\/sdk
Mistral
Mistral mistralai
Mistral mistralai\/mistralai
Mistral mistralai\/mistralai-azure
Mistral mistralai\/mistralai-gcp
Multiagentcognition
Multiagentcognition cmux-agent-mcp
Neilcochran
Neilcochran cross-stitch
Neilcochran squawk\/airports
Neilcochran squawk\/airspace
Neilcochran squawk\/airspace-data
Neilcochran squawk\/airway-data
Neilcochran squawk\/airways
Neilcochran squawk\/fix-data
Neilcochran squawk\/fixes
Neilcochran squawk\/flight-math
Neilcochran squawk\/flightplan
Neilcochran squawk\/geo
Neilcochran squawk\/icao-registry
Neilcochran squawk\/icao-registry-data
Neilcochran squawk\/mcp
Neilcochran squawk\/navaid-data
Neilcochran squawk\/navaids
Neilcochran squawk\/notams
Neilcochran squawk\/procedure-data
Neilcochran squawk\/procedures
Neilcochran squawk\/types
Neilcochran squawk\/units
Neilcochran squawk\/weather
Neilcochran ts-dna
Neilcochran wot-api
Uipath
Uipath uipath\/access-policy-sdk
Uipath uipath\/access-policy-tool
Uipath uipath\/admin-tool
Uipath uipath\/agent-sdk
Uipath uipath\/agent-tool
Uipath uipath\/agent.sdk
Uipath uipath\/aops-policy-tool
Uipath uipath\/ap-chat
Uipath uipath\/api-workflow-tool
Uipath uipath\/apollo-core
Uipath uipath\/apollo-react
Uipath uipath\/apollo-wind
Uipath uipath\/auth
Uipath uipath\/case-tool
Uipath uipath\/cli
Uipath uipath\/codedagent-tool
Uipath uipath\/codedagents-tool
Uipath uipath\/codedapp-tool
Uipath uipath\/common
Uipath uipath\/context-grounding-tool
Uipath uipath\/data-fabric-tool
Uipath uipath\/docsai-tool
Uipath uipath\/filesystem
Uipath uipath\/flow-tool
Uipath uipath\/functions-tool
Uipath uipath\/gov-tool
Uipath uipath\/identity-tool
Uipath uipath\/insights-sdk
Uipath uipath\/insights-tool
Uipath uipath\/integrationservice-sdk
Uipath uipath\/integrationservice-tool
Uipath uipath\/llmgw-tool
Uipath uipath\/maestro-sdk
Uipath uipath\/maestro-tool
Uipath uipath\/orchestrator-tool
Uipath uipath\/packager-tool-apiworkflow
Uipath uipath\/packager-tool-bpmn
Uipath uipath\/packager-tool-case
Uipath uipath\/packager-tool-connector
Uipath uipath\/packager-tool-flow
Uipath uipath\/packager-tool-functions
Uipath uipath\/packager-tool-webapp
Uipath uipath\/packager-tool-workflowcompiler
Uipath uipath\/packager-tool-workflowcompiler-browser
Uipath uipath\/platform-tool
Uipath uipath\/project-packager
Uipath uipath\/resource-tool
Uipath uipath\/resourcecatalog-tool
Uipath uipath\/resources-tool
Uipath uipath\/robot
Uipath uipath\/rpa-legacy-tool
Uipath uipath\/rpa-tool
Uipath uipath\/solution-packager
Uipath uipath\/solution-tool
Uipath uipath\/solutionpackager-sdk
Uipath uipath\/solutionpackager-tool-core
Uipath uipath\/tasks-tool
Uipath uipath\/telemetry
Uipath uipath\/test-manager-tool
Uipath uipath\/tool-workflowcompiler
Uipath uipath\/traces-tool
Uipath uipath\/ui-widgets-multi-file-upload
Uipath uipath\/uipath-python-bridge
Uipath uipath\/vertical-solutions-tool
Uipath uipath\/vss
Uipath uipath\/widget.sdk
CPEs cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.5:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.6:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.5:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.6:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.24:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.25:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.26:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.27:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.28:*:*:*:*:node.js:*:*
cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.29:*:*:*:*:node.js:*:*
cpe:2.3:a:agentworkhq:agentwork-cli:0.1.4:*:*:*:*:node.js:*:*
cpe:2.3:a:agentworkhq:agentwork-cli:0.1.5:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.5:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.10:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.11:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.12:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.13:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.14:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.15:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.16:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.17:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.19:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.2:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.3:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.4:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.5:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.6:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.7:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.8:*:*:*:*:node.js:*:*
cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.9:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git-git-git:1.0.10:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git-git-git:1.0.12:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git-git-git:1.0.8:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git-git-git:1.0.9:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git_branch_selector:1.3.3:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git_branch_selector:1.3.4:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git_branch_selector:1.3.5:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:git_branch_selector:1.3.7:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:nextmove-mcp:0.1.3:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:nextmove-mcp:0.1.4:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:nextmove-mcp:0.1.5:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:nextmove-mcp:0.1.7:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:tolka\/cli:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:tolka\/cli:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:tolka\/cli:1.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:christianalares:tolka\/cli:1.0.6:*:*:*:*:node.js:*:*
cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.2:*:*:*:*:node.js:*:*
cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.3:*:*:*:*:node.js:*:*
cpe:2.3:a:guardrailsai:guardrails_ai:0.10.1:*:*:*:*:python:*:*
cpe:2.3:a:kilbot:tallyui\/components:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/components:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/components:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/core:0.2.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/core:0.2.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/core:0.2.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/database:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/database:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/database:1.0.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/pos:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/pos:0.1.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/pos:0.1.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.3:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/theme:0.2.1:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/theme:0.2.2:*:*:*:*:node.js:*:*
cpe:2.3:a:kilbot:tallyui\/theme:0.2.3:*:*:*:*:node.js:*:*
cpe:2.3:a:linuxfoundation:opensearch:3.6.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.1:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.1:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.1:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.1:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.1:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.2:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.3:*:*:*:*:node.js:*:*
cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.4:*:*:*:*:node.js:*:*
cpe:2.3:a:mesa:mesadev\/rest:0.28.3:*:*:*:*:node.js:*:*
cpe:2.3:a:mesa:mesadev\/saguaro:0.4.22:*:*:*:*:node.js:*:*
cpe:2.3:a:mesa:mesadev\/sdk:0.28.3:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai:2.4.6:*:*:*:*:python:*:*
cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.2:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.3:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.2:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.3:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai\/mistralai:2.2.3:*:*:*:*:node.js:*:*
cpe:2.3:a:mistral:mistralai\/mistralai:2.2.4:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.3:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.4:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.5:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.6:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.7:*:*:*:*:node.js:*:*
cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.8:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:cross-stitch:1.1.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:cross-stitch:1.1.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:cross-stitch:1.1.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airports:0.6.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airports:0.6.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airports:0.6.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace:0.8.1:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace:0.8.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airspace:0.8.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airways:0.4.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airways:0.4.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/airways:0.4.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fixes:0.3.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fixes:0.3.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/fixes:0.3.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/geo:0.4.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/geo:0.4.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/geo:0.4.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/mcp:0.9.1:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/mcp:0.9.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/mcp:0.9.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaids:0.4.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaids:0.4.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/navaids:0.4.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/notams:0.3.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/notams:0.3.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/notams:0.3.9:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedures:0.5.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedures:0.5.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/procedures:0.5.5:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/types:0.8.1:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/types:0.8.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/types:0.8.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/units:0.4.3:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/units:0.4.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/units:0.4.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/weather:0.5.6:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/weather:0.5.7:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:squawk\/weather:0.5.9:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:ts-dna:3.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:ts-dna:3.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:ts-dna:3.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:wot-api:0.8.1:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:wot-api:0.8.2:*:*:*:*:node.js:*:*
cpe:2.3:a:neilcochran:wot-api:0.8.4:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/access-policy-sdk:0.3.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/access-policy-tool:0.3.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/admin-tool:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/agent-sdk:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/agent-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/agent.sdk:0.0.18:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/aops-policy-tool:0.3.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/ap-chat:1.5.7:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/api-workflow-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/apollo-core:5.9.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/apollo-react:4.24.5:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/apollo-wind:2.16.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/auth:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/case-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/cli:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/codedagent-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/codedagents-tool:0.1.12:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/codedapp-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/common:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/context-grounding-tool:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/data-fabric-tool:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/docsai-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/filesystem:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/flow-tool:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/functions-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/gov-tool:0.3.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/identity-tool:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/insights-sdk:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/insights-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/integrationservice-sdk:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/integrationservice-tool:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/llmgw-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/maestro-sdk:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/maestro-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/orchestrator-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-apiworkflow:0.0.19:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-bpmn:0.0.9:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-case:0.0.9:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-connector:0.0.19:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-flow:0.0.19:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-functions:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-webapp:1.0.6:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler-browser:0.0.34:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler:0.0.16:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/platform-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/project-packager:1.1.16:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/resource-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/resourcecatalog-tool:0.1.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/resources-tool:0.1.11:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/robot:1.3.4:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/rpa-legacy-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/rpa-tool:0.9.5:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/solution-packager:0.0.35:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/solution-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/solutionpackager-sdk:1.0.11:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/solutionpackager-tool-core:0.0.34:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/tasks-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/telemetry:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/test-manager-tool:1.0.2:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/tool-workflowcompiler:0.0.12:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/traces-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/ui-widgets-multi-file-upload:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/uipath-python-bridge:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/vertical-solutions-tool:1.0.1:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/vss:0.1.6:*:*:*:*:node.js:*:*
cpe:2.3:a:uipath:uipath\/widget.sdk:1.2.3:*:*:*:*:node.js:*:*
Vendors & Products Abhishake1
Abhishake1 supersurkhet\/cli
Abhishake1 supersurkhet\/sdk
Abhishake1 taskflow-corp\/cli
Agentworkhq
Agentworkhq agentwork-cli
Antoinebcx
Antoinebcx ml-toolkit-ts
Antoinebcx ml-toolkit-ts\/preprocessing
Antoinebcx ml-toolkit-ts\/xgboost
Beproduct
Beproduct beproduct\/nestjs-auth
Christianalares
Christianalares git-git-git
Christianalares git Branch Selector
Christianalares nextmove-mcp
Christianalares tolka\/cli
Dirigible
Dirigible dirigible-ai\/sdk
Guardrailsai
Guardrailsai guardrails Ai
Kilbot
Kilbot tallyui\/components
Kilbot tallyui\/connector-medusa
Kilbot tallyui\/connector-shopify
Kilbot tallyui\/connector-vendure
Kilbot tallyui\/connector-woocommerce
Kilbot tallyui\/core
Kilbot tallyui\/database
Kilbot tallyui\/pos
Kilbot tallyui\/storage-sqlite
Kilbot tallyui\/theme
Linuxfoundation
Linuxfoundation opensearch
Matheuspergoli
Matheuspergoli draftauth\/client
Matheuspergoli draftauth\/core
Matheuspergoli draftlab\/auth
Matheuspergoli draftlab\/auth-router
Matheuspergoli draftlab\/db
Matheuspergoli simple Type-safe Actions
Mesa
Mesa mesadev\/rest
Mesa mesadev\/saguaro
Mesa mesadev\/sdk
Mistral
Mistral mistralai
Mistral mistralai\/mistralai
Mistral mistralai\/mistralai-azure
Mistral mistralai\/mistralai-gcp
Multiagentcognition
Multiagentcognition cmux-agent-mcp
Neilcochran
Neilcochran cross-stitch
Neilcochran squawk\/airports
Neilcochran squawk\/airspace
Neilcochran squawk\/airspace-data
Neilcochran squawk\/airway-data
Neilcochran squawk\/airways
Neilcochran squawk\/fix-data
Neilcochran squawk\/fixes
Neilcochran squawk\/flight-math
Neilcochran squawk\/flightplan
Neilcochran squawk\/geo
Neilcochran squawk\/icao-registry
Neilcochran squawk\/icao-registry-data
Neilcochran squawk\/mcp
Neilcochran squawk\/navaid-data
Neilcochran squawk\/navaids
Neilcochran squawk\/notams
Neilcochran squawk\/procedure-data
Neilcochran squawk\/procedures
Neilcochran squawk\/types
Neilcochran squawk\/units
Neilcochran squawk\/weather
Neilcochran ts-dna
Neilcochran wot-api
Uipath
Uipath uipath\/access-policy-sdk
Uipath uipath\/access-policy-tool
Uipath uipath\/admin-tool
Uipath uipath\/agent-sdk
Uipath uipath\/agent-tool
Uipath uipath\/agent.sdk
Uipath uipath\/aops-policy-tool
Uipath uipath\/ap-chat
Uipath uipath\/api-workflow-tool
Uipath uipath\/apollo-core
Uipath uipath\/apollo-react
Uipath uipath\/apollo-wind
Uipath uipath\/auth
Uipath uipath\/case-tool
Uipath uipath\/cli
Uipath uipath\/codedagent-tool
Uipath uipath\/codedagents-tool
Uipath uipath\/codedapp-tool
Uipath uipath\/common
Uipath uipath\/context-grounding-tool
Uipath uipath\/data-fabric-tool
Uipath uipath\/docsai-tool
Uipath uipath\/filesystem
Uipath uipath\/flow-tool
Uipath uipath\/functions-tool
Uipath uipath\/gov-tool
Uipath uipath\/identity-tool
Uipath uipath\/insights-sdk
Uipath uipath\/insights-tool
Uipath uipath\/integrationservice-sdk
Uipath uipath\/integrationservice-tool
Uipath uipath\/llmgw-tool
Uipath uipath\/maestro-sdk
Uipath uipath\/maestro-tool
Uipath uipath\/orchestrator-tool
Uipath uipath\/packager-tool-apiworkflow
Uipath uipath\/packager-tool-bpmn
Uipath uipath\/packager-tool-case
Uipath uipath\/packager-tool-connector
Uipath uipath\/packager-tool-flow
Uipath uipath\/packager-tool-functions
Uipath uipath\/packager-tool-webapp
Uipath uipath\/packager-tool-workflowcompiler
Uipath uipath\/packager-tool-workflowcompiler-browser
Uipath uipath\/platform-tool
Uipath uipath\/project-packager
Uipath uipath\/resource-tool
Uipath uipath\/resourcecatalog-tool
Uipath uipath\/resources-tool
Uipath uipath\/robot
Uipath uipath\/rpa-legacy-tool
Uipath uipath\/rpa-tool
Uipath uipath\/solution-packager
Uipath uipath\/solution-tool
Uipath uipath\/solutionpackager-sdk
Uipath uipath\/solutionpackager-tool-core
Uipath uipath\/tasks-tool
Uipath uipath\/telemetry
Uipath uipath\/test-manager-tool
Uipath uipath\/tool-workflowcompiler
Uipath uipath\/traces-tool
Uipath uipath\/ui-widgets-multi-file-upload
Uipath uipath\/uipath-python-bridge
Uipath uipath\/vertical-solutions-tool
Uipath uipath\/vss
Uipath uipath\/widget.sdk

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-05-27T00:00:00+00:00', 'dueDate': '2026-06-10T00:00:00+00:00'}

Thu, 14 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Tanstack tanstack\/arktype-adapter
Tanstack tanstack\/eslint-plugin-router
Tanstack tanstack\/eslint-plugin-start
Tanstack tanstack\/history
Tanstack tanstack\/nitro-v2-vite-plugin
Tanstack tanstack\/react-router
Tanstack tanstack\/react-router-devtools
Tanstack tanstack\/react-router-ssr-query
Tanstack tanstack\/react-start
Tanstack tanstack\/react-start-client
Tanstack tanstack\/react-start-rsc
Tanstack tanstack\/react-start-server
Tanstack tanstack\/router-cli
Tanstack tanstack\/router-core
Tanstack tanstack\/router-devtools
Tanstack tanstack\/router-devtools-core
Tanstack tanstack\/router-generator
Tanstack tanstack\/router-plugin
Tanstack tanstack\/router-ssr-query-core
Tanstack tanstack\/router-utils
Tanstack tanstack\/router-vite-plugin
Tanstack tanstack\/solid-router
Tanstack tanstack\/solid-router-devtools
Tanstack tanstack\/solid-router-ssr-query
Tanstack tanstack\/solid-start
Tanstack tanstack\/solid-start-client
Tanstack tanstack\/solid-start-server
Tanstack tanstack\/start-client-core
Tanstack tanstack\/start-fn-stubs
Tanstack tanstack\/start-plugin-core
Tanstack tanstack\/start-server-core
Tanstack tanstack\/start-static-server-functions
Tanstack tanstack\/start-storage-context
Tanstack tanstack\/valibot-adapter
Tanstack tanstack\/virtual-file-routes
Tanstack tanstack\/vue-router
Tanstack tanstack\/vue-router-devtools
Tanstack tanstack\/vue-router-ssr-query
Tanstack tanstack\/vue-start
Tanstack tanstack\/vue-start-client
Tanstack tanstack\/vue-start-server
Tanstack tanstack\/zod-adapter
CPEs cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/history:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/history:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:*:*:*:*:node.js:*:*
Vendors & Products Tanstack tanstack\/arktype-adapter
Tanstack tanstack\/eslint-plugin-router
Tanstack tanstack\/eslint-plugin-start
Tanstack tanstack\/history
Tanstack tanstack\/nitro-v2-vite-plugin
Tanstack tanstack\/react-router
Tanstack tanstack\/react-router-devtools
Tanstack tanstack\/react-router-ssr-query
Tanstack tanstack\/react-start
Tanstack tanstack\/react-start-client
Tanstack tanstack\/react-start-rsc
Tanstack tanstack\/react-start-server
Tanstack tanstack\/router-cli
Tanstack tanstack\/router-core
Tanstack tanstack\/router-devtools
Tanstack tanstack\/router-devtools-core
Tanstack tanstack\/router-generator
Tanstack tanstack\/router-plugin
Tanstack tanstack\/router-ssr-query-core
Tanstack tanstack\/router-utils
Tanstack tanstack\/router-vite-plugin
Tanstack tanstack\/solid-router
Tanstack tanstack\/solid-router-devtools
Tanstack tanstack\/solid-router-ssr-query
Tanstack tanstack\/solid-start
Tanstack tanstack\/solid-start-client
Tanstack tanstack\/solid-start-server
Tanstack tanstack\/start-client-core
Tanstack tanstack\/start-fn-stubs
Tanstack tanstack\/start-plugin-core
Tanstack tanstack\/start-server-core
Tanstack tanstack\/start-static-server-functions
Tanstack tanstack\/start-storage-context
Tanstack tanstack\/valibot-adapter
Tanstack tanstack\/virtual-file-routes
Tanstack tanstack\/vue-router
Tanstack tanstack\/vue-router-devtools
Tanstack tanstack\/vue-router-ssr-query
Tanstack tanstack\/vue-start
Tanstack tanstack\/vue-start-client
Tanstack tanstack\/vue-start-server
Tanstack tanstack\/zod-adapter

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tanstack
Tanstack arktype-adapter
Tanstack eslint-plugin-router
Tanstack eslint-plugin-start
Tanstack history
Tanstack nitro-v2-vite-plugin
Tanstack outer-vite-plugin
Tanstack react-router
Tanstack react-router-devtools
Tanstack react-router-ssr-query
Tanstack react-start
Tanstack react-start-client
Tanstack react-start-rsc
Tanstack react-start-server
Tanstack router-cli
Tanstack router-core
Tanstack router-devtools
Tanstack router-devtools-core
Tanstack router-generator
Tanstack router-plugin
Tanstack router-ssr-query-core
Tanstack router-utils
Tanstack solid-router
Tanstack solid-router-devtools
Tanstack solid-router-ssr-query
Tanstack solid-start
Tanstack solid-start-client
Tanstack solid-start-server
Tanstack start-client-core
Tanstack start-fn-stubs
Tanstack start-plugin-core
Tanstack start-server-core
Tanstack start-static-server-functions
Tanstack start-storage-context
Tanstack valibot-adapter
Tanstack virtual-file-routes
Tanstack vue-router
Tanstack vue-router-devtools
Tanstack vue-router-ssr-query
Tanstack vue-start
Tanstack vue-start-client
Tanstack vue-start-server
Tanstack zod-adapter
Vendors & Products Tanstack
Tanstack arktype-adapter
Tanstack eslint-plugin-router
Tanstack eslint-plugin-start
Tanstack history
Tanstack nitro-v2-vite-plugin
Tanstack outer-vite-plugin
Tanstack react-router
Tanstack react-router-devtools
Tanstack react-router-ssr-query
Tanstack react-start
Tanstack react-start-client
Tanstack react-start-rsc
Tanstack react-start-server
Tanstack router-cli
Tanstack router-core
Tanstack router-devtools
Tanstack router-devtools-core
Tanstack router-generator
Tanstack router-plugin
Tanstack router-ssr-query-core
Tanstack router-utils
Tanstack solid-router
Tanstack solid-router-devtools
Tanstack solid-router-ssr-query
Tanstack solid-start
Tanstack solid-start-client
Tanstack solid-start-server
Tanstack start-client-core
Tanstack start-fn-stubs
Tanstack start-plugin-core
Tanstack start-server-core
Tanstack start-static-server-functions
Tanstack start-storage-context
Tanstack valibot-adapter
Tanstack virtual-file-routes
Tanstack vue-router
Tanstack vue-router-devtools
Tanstack vue-router-ssr-query
Tanstack vue-start
Tanstack vue-start-client
Tanstack vue-start-server
Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses CWE-506
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Abhishake1 Supersurkhet\/cli Supersurkhet\/sdk Taskflow-corp\/cli
Agentworkhq Agentwork-cli
Antoinebcx Ml-toolkit-ts Ml-toolkit-ts\/preprocessing Ml-toolkit-ts\/xgboost
Beproduct Beproduct\/nestjs-auth
Christianalares Git-git-git Git Branch Selector Nextmove-mcp Tolka\/cli
Dirigible Dirigible-ai\/sdk
Guardrailsai Guardrails Ai
Kilbot Tallyui\/components Tallyui\/connector-medusa Tallyui\/connector-shopify Tallyui\/connector-vendure Tallyui\/connector-woocommerce Tallyui\/core Tallyui\/database Tallyui\/pos Tallyui\/storage-sqlite Tallyui\/theme
Linuxfoundation Opensearch
Matheuspergoli Draftauth\/client Draftauth\/core Draftlab\/auth Draftlab\/auth-router Draftlab\/db Simple Type-safe Actions
Mesa Mesadev\/rest Mesadev\/saguaro Mesadev\/sdk
Mistral Mistralai Mistralai\/mistralai Mistralai\/mistralai-azure Mistralai\/mistralai-gcp
Multiagentcognition Cmux-agent-mcp
Neilcochran Cross-stitch Squawk\/airports Squawk\/airspace Squawk\/airspace-data Squawk\/airway-data Squawk\/airways Squawk\/fix-data Squawk\/fixes Squawk\/flight-math Squawk\/flightplan Squawk\/geo Squawk\/icao-registry Squawk\/icao-registry-data Squawk\/mcp Squawk\/navaid-data Squawk\/navaids Squawk\/notams Squawk\/procedure-data Squawk\/procedures Squawk\/types Squawk\/units Squawk\/weather Ts-dna Wot-api
Tanstack Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Tanstack\/arktype-adapter Tanstack\/eslint-plugin-router Tanstack\/eslint-plugin-start Tanstack\/history Tanstack\/nitro-v2-vite-plugin Tanstack\/react-router Tanstack\/react-router-devtools Tanstack\/react-router-ssr-query Tanstack\/react-start Tanstack\/react-start-client Tanstack\/react-start-rsc Tanstack\/react-start-server Tanstack\/router-cli Tanstack\/router-core Tanstack\/router-devtools Tanstack\/router-devtools-core Tanstack\/router-generator Tanstack\/router-plugin Tanstack\/router-ssr-query-core Tanstack\/router-utils Tanstack\/router-vite-plugin Tanstack\/solid-router Tanstack\/solid-router-devtools Tanstack\/solid-router-ssr-query Tanstack\/solid-start Tanstack\/solid-start-client Tanstack\/solid-start-server Tanstack\/start-client-core Tanstack\/start-fn-stubs Tanstack\/start-plugin-core Tanstack\/start-server-core Tanstack\/start-static-server-functions Tanstack\/start-storage-context Tanstack\/valibot-adapter Tanstack\/virtual-file-routes Tanstack\/vue-router Tanstack\/vue-router-devtools Tanstack\/vue-router-ssr-query Tanstack\/vue-start Tanstack\/vue-start-client Tanstack\/vue-start-server Tanstack\/zod-adapter Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter
Uipath Uipath\/access-policy-sdk Uipath\/access-policy-tool Uipath\/admin-tool Uipath\/agent-sdk Uipath\/agent-tool Uipath\/agent.sdk Uipath\/aops-policy-tool Uipath\/ap-chat Uipath\/api-workflow-tool Uipath\/apollo-core Uipath\/apollo-react Uipath\/apollo-wind Uipath\/auth Uipath\/case-tool Uipath\/cli Uipath\/codedagent-tool Uipath\/codedagents-tool Uipath\/codedapp-tool Uipath\/common Uipath\/context-grounding-tool Uipath\/data-fabric-tool Uipath\/docsai-tool Uipath\/filesystem Uipath\/flow-tool Uipath\/functions-tool Uipath\/gov-tool Uipath\/identity-tool Uipath\/insights-sdk Uipath\/insights-tool Uipath\/integrationservice-sdk Uipath\/integrationservice-tool Uipath\/llmgw-tool Uipath\/maestro-sdk Uipath\/maestro-tool Uipath\/orchestrator-tool Uipath\/packager-tool-apiworkflow Uipath\/packager-tool-bpmn Uipath\/packager-tool-case Uipath\/packager-tool-connector Uipath\/packager-tool-flow Uipath\/packager-tool-functions Uipath\/packager-tool-webapp Uipath\/packager-tool-workflowcompiler Uipath\/packager-tool-workflowcompiler-browser Uipath\/platform-tool Uipath\/project-packager Uipath\/resource-tool Uipath\/resourcecatalog-tool Uipath\/resources-tool Uipath\/robot Uipath\/rpa-legacy-tool Uipath\/rpa-tool Uipath\/solution-packager Uipath\/solution-tool Uipath\/solutionpackager-sdk Uipath\/solutionpackager-tool-core Uipath\/tasks-tool Uipath\/telemetry Uipath\/test-manager-tool Uipath\/tool-workflowcompiler Uipath\/traces-tool Uipath\/ui-widgets-multi-file-upload Uipath\/uipath-python-bridge Uipath\/vertical-solutions-tool Uipath\/vss Uipath\/widget.sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T03:55:26.991Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

cve-icon Vulnrichment

Updated: 2026-05-12T13:21:29.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T01:16:46.820

Modified: 2026-05-29T19:41:37.437

Link: CVE-2026-45321

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T14:45:25Z

Weaknesses