tanstack%5C%2Freact-start-client

tanstack\/react-start-client

Source -

NVD

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

1Vulnerabilities found

CVE-2026-45321

Assigner-GitHub, Inc.

View Details

Assigner-GitHub, Inc.

CVSS Score-9.6||CRITICAL

EPSS-0.04% / 11.91%

7 Day CHG~0.00%

Published-12 May, 2026 | 00:12

Updated-14 May, 2026 | 17:05

Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Vendor-tanstack @tanstack

Product-tanstack\/react-start-client tanstack\/router-core tanstack\/react-router-devtools tanstack\/solid-start-server tanstack\/start-client-core tanstack\/router-utils tanstack\/router-vite-plugin tanstack\/router-generator tanstack\/router-plugin tanstack\/react-router-ssr-query tanstack\/arktype-adapter tanstack\/router-ssr-query-core tanstack\/router-cli tanstack\/solid-router-devtools tanstack\/eslint-plugin-router tanstack\/vue-router-devtools tanstack\/zod-adapter tanstack\/router-devtools tanstack\/eslint-plugin-start tanstack\/react-start-server tanstack\/vue-start-client tanstack\/start-server-core tanstack\/start-static-server-functions tanstack\/vue-start tanstack\/solid-start tanstack\/react-router tanstack\/solid-router-ssr-query tanstack\/nitro-v2-vite-plugin tanstack\/react-start tanstack\/solid-start-client tanstack\/start-fn-stubs tanstack\/start-storage-context tanstack\/vue-router-ssr-query tanstack\/router-devtools-core tanstack\/solid-router tanstack\/vue-router tanstack\/vue-start-server tanstack\/react-start-rsc tanstack\/history tanstack\/virtual-file-routes tanstack\/start-plugin-core tanstack\/valibot-adapter eslint-plugin-start vue-start-server react-start-client solid-start-client nitro-v2-vite-plugin start-fn-stubs router-ssr-query-core router-core start-plugin-core start-storage-context virtual-file-routes solid-router-ssr-query router-devtools-core react-start-rsc router-utils react-router router-generator outer-vite-plugin router-devtools history react-router-devtools solid-router vue-router-ssr-query eslint-plugin-router zod-adapter solid-start start-server-core vue-router-devtools vue-router vue-start router-cli arktype-adapter start-client-core valibot-adapter start-static-server-functions react-router-ssr-query router-plugin react-start-server vue-start-client solid-router-devtools react-start solid-start-server

CWE ID-CWE-506

Embedded Malicious Code