ByteOS Network

NVD Vulnerability Details :

CVE-2026-45321

Analyzed

Source-security-advisories@github.com

Published At-12 May, 2026 | 01:16

Updated At-14 May, 2026 | 17:05

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.6	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Type: Secondary

Version: 3.1

Base score: 9.6

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CPE Matches

tanstack>>tanstack\/arktype-adapter>>1.166.12

cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*

tanstack>>tanstack\/arktype-adapter>>1.166.15

cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:*:*:*:*:node.js:*:*

tanstack>>tanstack\/eslint-plugin-router>>1.161.9

cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:*:*:*:*:node.js:*:*

tanstack>>tanstack\/eslint-plugin-router>>1.161.12

cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:*:*:*:*:node.js:*:*

tanstack>>tanstack\/eslint-plugin-start>>0.0.4

cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*

tanstack>>tanstack\/eslint-plugin-start>>0.0.7

cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:*:*:*:*:node.js:*:*

tanstack>>tanstack\/history>>1.161.9

cpe:2.3:a:tanstack:tanstack\/history:1.161.9:*:*:*:*:node.js:*:*

tanstack>>tanstack\/history>>1.161.12

cpe:2.3:a:tanstack:tanstack\/history:1.161.12:*:*:*:*:node.js:*:*

tanstack>>tanstack\/nitro-v2-vite-plugin>>1.154.12

cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*

tanstack>>tanstack\/nitro-v2-vite-plugin>>1.154.15

cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router>>1.169.5

cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router>>1.169.8

cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router-devtools>>1.166.16

cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router-devtools>>1.166.19

cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router-ssr-query>>1.166.15

cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-router-ssr-query>>1.166.18

cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start>>1.167.68

cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start>>1.167.71

cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-client>>1.166.51

cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-client>>1.166.54

cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-rsc>>0.0.47

cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-rsc>>0.0.50

cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-server>>1.166.55

cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:*:*:*:*:node.js:*:*

tanstack>>tanstack\/react-start-server>>1.166.58

cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-cli>>1.166.46

cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-cli>>1.166.49

cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-core>>1.169.5

cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-core>>1.169.8

cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-devtools>>1.166.16

cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-devtools>>1.166.19

cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-devtools-core>>1.167.6

cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-devtools-core>>1.167.9

cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-generator>>1.166.45

cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-generator>>1.166.48

cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-plugin>>1.167.38

cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-plugin>>1.167.41

cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-ssr-query-core>>1.168.3

cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-ssr-query-core>>1.168.6

cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-utils>>1.161.11

cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-utils>>1.161.14

cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-vite-plugin>>1.166.53

cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:*:*:*:*:node.js:*:*

tanstack>>tanstack\/router-vite-plugin>>1.166.56

cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router>>1.169.5

cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router>>1.169.8

cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router-devtools>>1.166.16

cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router-devtools>>1.166.19

cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router-ssr-query>>1.166.15

cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-router-ssr-query>>1.166.18

cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-start>>1.167.65

cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:*:*:*:*:node.js:*:*

tanstack>>tanstack\/solid-start>>1.167.68

cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:*:*:*:*:node.js:*:*