VYPR

npm package

@tanstack/start-static-server-functions

pkg:npm/%40tanstack/start-static-server-functions

Malware

2 malicious versions on record

One or more versions of this package have been flagged as containing malicious code. Audit any system that installed an affected version.

  • MAL-2026-3491Malicious code in @tanstack/start-static-server-functions (npm)
    May 12, 2026
  • GHSA-r9g7-9xhm-p5qpMalware in @tanstack/start-static-server-functions
    May 12, 2026

Vulnerabilities (1)

  • CVE-2026-45321CriKEVMay 12, 2026
    affected >= 1.166.44, < 1.166.48fixed 1.166.48

    On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publis