-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security

Vulnerability Details

Registries

Custom Views

Weaknesses

Attack Patterns

Filters & Tools

uipath\/solution-packager

Source -

NVD

CNA CVEs -

0

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

1

Related CVEs Related Vendors Related Assigners Reports

1Vulnerabilities found

Assigner-GitHub, Inc.

Assigner-GitHub, Inc.

CVSS Score-9.6||CRITICAL

EPSS-17.05% / 95.12%

||

7 Day CHG~0.00%

Published-12 May, 2026 | 00:12

Updated-29 May, 2026 | 19:41

Rejected-Not Available

Known To Be Used In Ransomware Campaigns?-Not Available

KEV Added-Not Available

KEV Action Due Date-Not Available

Known KEV||Action Due Date - 2026-06-10||Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Action-Not Available

Vendor-matheuspergoli guardrailsai dirigible mesa kilbot mistral agentworkhq beproduct tanstack multiagentcognition antoinebcx neilcochran abhishake1 uipath christianalares @tanstack TanStack The Linux Foundation

Product-tallyui\/connector-shopify tanstack\/vue-start-client squawk\/types uipath\/access-policy-tool uipath\/packager-tool-apiworkflow guardrails_ai squawk\/airports git-git-git uipath\/packager-tool-flow squawk\/geo squawk\/mcp opensearch uipath\/rpa-tool tanstack\/virtual-file-routes uipath\/identity-tool uipath\/robot tanstack\/start-static-server-functions squawk\/airways tolka\/cli tallyui\/connector-woocommerce mesadev\/saguaro uipath\/admin-tool tanstack\/router-cli git_branch_selector tanstack\/nitro-v2-vite-plugin uipath\/solution-packager uipath\/data-fabric-tool tanstack\/history cmux-agent-mcp supersurkhet\/sdk tanstack\/arktype-adapter taskflow-corp\/cli uipath\/test-manager-tool squawk\/notams uipath\/orchestrator-tool tanstack\/react-router-ssr-query tanstack\/vue-start-server tanstack\/router-devtools-core dirigible-ai\/sdk tanstack\/react-start tanstack\/vue-start tallyui\/connector-vendure squawk\/fixes squawk\/units mesadev\/sdk tanstack\/router-devtools ml-toolkit-ts\/preprocessing tallyui\/storage-sqlite tanstack\/react-router-devtools draftauth\/core uipath\/auth uipath\/packager-tool-bpmn uipath\/packager-tool-workflowcompiler uipath\/tool-workflowcompiler squawk\/procedure-data tanstack\/solid-start tanstack\/router-core uipath\/codedagent-tool uipath\/case-tool tallyui\/connector-medusa mistralai tanstack\/start-client-core uipath\/widget.sdk uipath\/rpa-legacy-tool draftlab\/auth-router mistralai\/mistralai-azure tanstack\/react-start-client tanstack\/router-generator uipath\/functions-tool draftlab\/db uipath\/apollo-core tanstack\/react-start-server uipath\/insights-tool uipath\/solution-tool uipath\/packager-tool-workflowcompiler-browser tanstack\/vue-router-ssr-query supersurkhet\/cli squawk\/icao-registry-data squawk\/navaids tanstack\/solid-router-ssr-query uipath\/uipath-python-bridge uipath\/maestro-tool squawk\/fix-data tallyui\/components uipath\/solutionpackager-tool-core tanstack\/solid-start-server uipath\/packager-tool-functions ts-dna tanstack\/router-plugin tanstack\/router-utils tanstack\/valibot-adapter squawk\/airspace-data wot-api tanstack\/eslint-plugin-router uipath\/packager-tool-connector uipath\/solutionpackager-sdk uipath\/apollo-wind squawk\/flight-math tanstack\/vue-router-devtools tanstack\/start-fn-stubs cross-stitch uipath\/insights-sdk agentwork-cli tanstack\/eslint-plugin-start uipath\/resourcecatalog-tool uipath\/agent.sdk uipath\/integrationservice-sdk ml-toolkit-ts\/xgboost uipath\/gov-tool ml-toolkit-ts uipath\/telemetry uipath\/project-packager tanstack\/start-server-core uipath\/resources-tool tanstack\/vue-router tanstack\/start-plugin-core uipath\/packager-tool-webapp uipath\/tasks-tool tallyui\/pos draftauth\/client tanstack\/react-router mistralai\/mistralai uipath\/ui-widgets-multi-file-upload squawk\/navaid-data uipath\/codedagents-tool tanstack\/router-vite-plugin uipath\/integrationservice-tool uipath\/llmgw-tool uipath\/codedapp-tool nextmove-mcp uipath\/resource-tool uipath\/agent-sdk mesadev\/rest uipath\/vss uipath\/common uipath\/cli mistralai\/mistralai-gcp uipath\/access-policy-sdk squawk\/airspace uipath\/filesystem uipath\/traces-tool tanstack\/solid-router-devtools uipath\/docsai-tool uipath\/flow-tool tallyui\/theme tanstack\/router-ssr-query-core uipath\/api-workflow-tool uipath\/maestro-sdk uipath\/vertical-solutions-tool uipath\/packager-tool-case uipath\/apollo-react tanstack\/zod-adapter tanstack\/start-storage-context draftlab\/auth uipath\/ap-chat uipath\/platform-tool tanstack\/solid-start-client squawk\/procedures tanstack\/react-start-rsc uipath\/aops-policy-tool tanstack\/solid-router beproduct\/nestjs-auth squawk\/icao-registry tallyui\/database simple_type-safe_actions tallyui\/core squawk\/airway-data squawk\/weather squawk\/flightplan uipath\/agent-tool uipath\/context-grounding-tool eslint-plugin-start start-storage-context vue-start-client eslint-plugin-router vue-start-server outer-vite-plugin react-start vue-router-ssr-query react-start-client vue-router react-router-ssr-query arktype-adapter solid-router-ssr-query router-devtools-core router-plugin router-core vue-start router-ssr-query-core nitro-v2-vite-plugin solid-router react-start-server router-generator solid-start-server start-server-core zod-adapter virtual-file-routes start-plugin-core valibot-adapter vue-router-devtools router-cli react-router react-router-devtools router-utils start-fn-stubs start-static-server-functions solid-router-devtools solid-start-client history react-start-rsc solid-start start-client-core router-devtools TanStack

CWE ID-CWE-506

Embedded Malicious Code