CVE-2026-45321 Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

🗓️ 12 May 2026 00:12:35Reported by GitHub_MType

Malware exfiltrates cloud credentials and tokens via 84 TanStack packages on npm using OIDC.

Reporter	Title	Published	Views	Family All 183
GithubExploit	Exploit for Embedded Malicious Code in Tanstack Tanstack\/Arktype-Adapter	25 May 202615:34	–	githubexploit
GithubExploit	Exploit for Embedded Malicious Code in Tanstack Tanstack\/Arktype-Adapter	18 May 202609:16	–	githubexploit
ATTACKERKB	CVE-2026-45321	12 May 202600:12	–	attackerkb
Circl	CVE-2026-45321	12 May 202612:20	–	circl
CISA KEV Catalog	TanStack Unspecified Vulnerability	27 May 202600:00	–	cisa_kev
CISA	CISA Adds Three Known Exploited Vulnerabilities to Catalog	27 May 202612:00	–	cisa
CNNVD	TanStack Query 安全漏洞	12 May 202600:00	–	cnnvd
CVE	CVE-2026-45321	12 May 202600:12	–	cve
EUVD	EUVD-2026-29352	12 May 202600:12	–	euvd
Github Security Blog	Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys	12 May 202600:12	–	github

[
  {
    "vendor": "@tanstack",
    "product": "arktype-adapter",
    "versions": [
      {
        "version": "1.166.12",
        "status": "affected"
      },
      {
        "version": "1.166.15",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "eslint-plugin-router",
    "versions": [
      {
        "version": "1.161.9",
        "status": "affected"
      },
      {
        "version": "1.161.12",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "eslint-plugin-start",
    "versions": [
      {
        "version": "0.0.4",
        "status": "affected"
      },
      {
        "version": "0.0.7",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "history",
    "versions": [
      {
        "version": "1.161.9",
        "status": "affected"
      },
      {
        "version": "1.161.12",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "nitro-v2-vite-plugin",
    "versions": [
      {
        "version": "1.154.12",
        "status": "affected"
      },
      {
        "version": "1.154.15",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-router",
    "versions": [
      {
        "version": "1.169.5",
        "status": "affected"
      },
      {
        "version": "1.169.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-router-devtools",
    "versions": [
      {
        "version": "1.166.16",
        "status": "affected"
      },
      {
        "version": "1.166.19",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-router-ssr-query",
    "versions": [
      {
        "version": "1.166.15",
        "status": "affected"
      },
      {
        "version": "1.166.18",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-start",
    "versions": [
      {
        "version": "1.167.68",
        "status": "affected"
      },
      {
        "version": "1.167.71",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-start-client",
    "versions": [
      {
        "version": "1.166.51",
        "status": "affected"
      },
      {
        "version": "1.166.54",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-start-rsc",
    "versions": [
      {
        "version": "0.0.47",
        "status": "affected"
      },
      {
        "version": "0.0.50",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "react-start-server",
    "versions": [
      {
        "version": "1.166.55",
        "status": "affected"
      },
      {
        "version": "1.166.58",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-cli",
    "versions": [
      {
        "version": "1.166.46",
        "status": "affected"
      },
      {
        "version": "1.166.49",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-core",
    "versions": [
      {
        "version": "1.169.5",
        "status": "affected"
      },
      {
        "version": "1.169.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-devtools",
    "versions": [
      {
        "version": "1.166.16",
        "status": "affected"
      },
      {
        "version": "1.166.19",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-devtools-core",
    "versions": [
      {
        "version": "1.167.6",
        "status": "affected"
      },
      {
        "version": "1.167.9",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-generator",
    "versions": [
      {
        "version": "1.166.45",
        "status": "affected"
      },
      {
        "version": "1.166.48",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-plugin",
    "versions": [
      {
        "version": "1.167.38",
        "status": "affected"
      },
      {
        "version": "1.167.41",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-ssr-query-core",
    "versions": [
      {
        "version": "1.168.3",
        "status": "affected"
      },
      {
        "version": "1.168.6",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "router-utils",
    "versions": [
      {
        "version": "1.161.11",
        "status": "affected"
      },
      {
        "version": "1.161.14",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "outer-vite-plugin",
    "versions": [
      {
        "version": "1.166.53",
        "status": "affected"
      },
      {
        "version": "1.166.56",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-router",
    "versions": [
      {
        "version": "1.169.5",
        "status": "affected"
      },
      {
        "version": "1.169.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-router-devtools",
    "versions": [
      {
        "version": "1.166.16",
        "status": "affected"
      },
      {
        "version": "1.166.19",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-router-ssr-query",
    "versions": [
      {
        "version": "1.166.15",
        "status": "affected"
      },
      {
        "version": "1.166.18",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-start",
    "versions": [
      {
        "version": "1.167.65",
        "status": "affected"
      },
      {
        "version": "1.167.68",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-start-client",
    "versions": [
      {
        "version": "1.166.50",
        "status": "affected"
      },
      {
        "version": "1.166.53",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "solid-start-server",
    "versions": [
      {
        "version": "1.166.54",
        "status": "affected"
      },
      {
        "version": "1.166.57",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-client-core",
    "versions": [
      {
        "version": "1.168.5",
        "status": "affected"
      },
      {
        "version": "1.168.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-fn-stubs",
    "versions": [
      {
        "version": "1.161.9",
        "status": "affected"
      },
      {
        "version": "1.161.12",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-plugin-core",
    "versions": [
      {
        "version": "1.169.23",
        "status": "affected"
      },
      {
        "version": "1.169.26",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-server-core",
    "versions": [
      {
        "version": "1.167.33",
        "status": "affected"
      },
      {
        "version": "1.167.36",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-static-server-functions",
    "versions": [
      {
        "version": "1.166.44",
        "status": "affected"
      },
      {
        "version": "1.166.47",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "start-storage-context",
    "versions": [
      {
        "version": "1.166.38",
        "status": "affected"
      },
      {
        "version": "1.166.41",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "valibot-adapter",
    "versions": [
      {
        "version": "1.166.12",
        "status": "affected"
      },
      {
        "version": "1.166.15",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "virtual-file-routes",
    "versions": [
      {
        "version": "1.161.10",
        "status": "affected"
      },
      {
        "version": "1.161.13",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-router",
    "versions": [
      {
        "version": "1.169.5",
        "status": "affected"
      },
      {
        "version": "1.169.8",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-router-devtools",
    "versions": [
      {
        "version": "1.166.16",
        "status": "affected"
      },
      {
        "version": "1.166.19",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-router-ssr-query",
    "versions": [
      {
        "version": "1.166.15",
        "status": "affected"
      },
      {
        "version": "1.166.18",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-start",
    "versions": [
      {
        "version": "1.167.61",
        "status": "affected"
      },
      {
        "version": "1.167.64",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-start-client",
    "versions": [
      {
        "version": "1.166.46",
        "status": "affected"
      },
      {
        "version": "1.166.49",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "vue-start-server",
    "versions": [
      {
        "version": "1.166.50",
        "status": "affected"
      },
      {
        "version": "1.166.53",
        "status": "affected"
      }
    ]
  },
  {
    "vendor": "@tanstack",
    "product": "zod-adapter",
    "versions": [
      {
        "version": "1.166.12",
        "status": "affected"
      },
      {
        "version": "1.166.15",
        "status": "affected"
      }
    ]
  }
]

Source	Link
tanstack	www.tanstack.com/blog/npm-supply-chain-compromise-postmortem
github	www.github.com/TanStack/router/issues/7383
github	www.github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
stepsecurity	www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

12 May 2026 15:16Current

CVSS 3.19.6

EPSS0.17051

CWE-506