MAL-2026-3499 Malicious code in @tanstack/vue-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b11c2f37aa0a8c4d809c3136f8f7c227c463f4f8e7a2b4515336b730941dcc4c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@tanstack/vue-start (>=1.141.0 <=1.167.58) potentially affected by unknown CVE via @tanstack/vue-start-client (>=1.141.0 <=1.166.43)

@tanstack/vue-start-client NPM version =1.141.0, =1.141.0, =1.167.58 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3499...

@dxs-ts/eveli-ide (>=0.0.114 <=0.0.115), @genesisailab/admin-package (=0.0.1) +6 more potentially affected by unknown CVE via @tanstack/router-vite-plugin (=1.166.50)

@tanstack/router-vite-plugin NPM version =1.166.50 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/router-vite-plugin and may be impacted: - @dxs-ts/eveli-ide =0.0.114, =0.0.1, =0.19.0, =0.22.13, =1.39.1, =1.39.3 - ezux-showcase =1.1.15 -...

Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3480 Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3483 Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4905d7bb1a4d6f69ec73fe4cc8fa958262fcab1397fed5725ac39db447f6239a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-router-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d97a7cf294a17c17e22c7eead7d3de9f693c5488aecba96129d5b79b52f430de This version falls within the @tanstack/ package family compromised on 2026-05-11. The campaign published 42 packages × 2 versions each with the...

@leeforge/fusion (=0.1.0), @nativescript/tanstack-router (>=0.0.1 <=0.1.2) +6 more potentially affected by unknown CVE via @tanstack/solid-router (>=1.121.0-alpha.28 <=1.169.2)

@tanstack/solid-router NPM version =1.121.0-alpha.28, =0.0.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =1.20.3-alpha.1, =0.1.0, =1.0.15 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3481...

Malicious code in @tanstack/solid-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 79e1b5cf7bf19cbf81420be17e5aad851d9f2e2943848f3a4b295e2ed7a8ed2c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3481 Malicious code in @tanstack/solid-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 79e1b5cf7bf19cbf81420be17e5aad851d9f2e2943848f3a4b295e2ed7a8ed2c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3479 Malicious code in @tanstack/router-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 44bca8f9294a1b6c949228c6741851305336a0b694ce00617c6fcd4b220c30a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 44bca8f9294a1b6c949228c6741851305336a0b694ce00617c6fcd4b220c30a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@ardeora/start-devtools (>=1.0.0 <=1.0.1), @brendonovich/solidjs__start (>=0.0.0 <=0.0.3) +39 more potentially affected by unknown CVE via @tanstack/router-utils (>=1.121.0-alpha.28 <=1.158.0)

@tanstack/router-utils NPM version =1.121.0-alpha.28, =1.0.0, =0.0.0, =1.0.0, =1.0.11, =0.1.0, =1.1.0, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.111.10, =1.20.3-alpha.1, =1.111.10, =1.111.10, =1.121.0-alpha.28, =1.161.3 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3479...

@alivault/pico (>=0.1.0 <=0.1.2), @argus-vrt/web (=0.1.0) +29 more potentially affected by unknown CVE via @tanstack/router-ssr-query-core (>=1.121.0-alpha.28 <=1.168.0)

@tanstack/router-ssr-query-core NPM version =1.121.0-alpha.28, =0.1.0, =0.0.4, =1.0.0, =0.1.0, =1.121.0-alpha.28, =1.133.19, =1.140.0, =0.2.4, =0.0.1, =0.1.0-alpha.1, =0.1.0-alpha.2 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3478...

MAL-2026-3478 Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow...

GHSA-G7CV-RXG3-HMPX Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow...