Critical severity9.6GHSA Advisory· Published May 12, 2026· Updated May 14, 2026
CVE-2026-45321
CVE-2026-45321
Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Affected products
85cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/history:1.161.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/history:1.161.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/history:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:*:*:*:*:node.js:*:*
cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:*:*:*:*:node.js:*:*+ 1 more
- cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:*:*:*:*:node.js:*:*
- cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:*:*:*:*:node.js:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- tanstack.com/blog/npm-supply-chain-compromise-postmortemnvdExploitVendor Advisory
- www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystemnvdExploitThird Party Advisory
- github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpxnvdMitigationVendor Advisory
- github.com/advisories/GHSA-g7cv-rxg3-hmpxghsaADVISORY
- github.com/TanStack/router/issues/7383nvdIssue Tracking
- nvd.nist.gov/vuln/detail/CVE-2026-45321ghsa
- socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attackghsa
News mentions
1- Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More PackagesThe Hacker News · May 12, 2026