MAL-2026-3491 Malicious code in @tanstack/start-static-server-functions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bb21ff47aa0e512d1f67b02a37d160b475e32fcaa76bea381298a976c3bdd673 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/start-static-server-functions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bb21ff47aa0e512d1f67b02a37d160b475e32fcaa76bea381298a976c3bdd673 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/start-storage-context (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7021ac6b47d0f973f936ca9d15cd26f43a01b1151ce691ec8b10be5001be2bb This version of @tanstack/start-storage-context belongs to the @tanstack/ package family that was compromised via CI cache poisoning, with 42 package...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +121 more potentially affected by unknown CVE via @tanstack/start-storage-context (>=1.121.0-alpha.28 <=1.166.4)

@tanstack/start-storage-context NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3492...

MAL-2026-3492 Malicious code in @tanstack/start-storage-context (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7021ac6b47d0f973f936ca9d15cd26f43a01b1151ce691ec8b10be5001be2bb This version of @tanstack/start-storage-context belongs to the @tanstack/ package family that was compromised via CI cache poisoning, with 42 package...

MAL-2026-3493 Malicious code in @tanstack/valibot-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25062244509cace2232407aaa71ca13d0ca2cf2c113e8e1dd19280694a3475cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/valibot-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 25062244509cace2232407aaa71ca13d0ca2cf2c113e8e1dd19280694a3475cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@ardeora/start-devtools (>=1.0.0 <=1.0.1), @carvajalconsultants/headstart (>=1.0.0 <=1.0.2) +26 more potentially affected by unknown CVE via @tanstack/virtual-file-routes (>=1.121.0-alpha.28 <=1.154.7)

@tanstack/virtual-file-routes NPM version =1.121.0-alpha.28, =1.0.0, =1.0.0, =0.1.0, =1.20.3-alpha.1, =1.111.10, =1.130.0, =1.121.0-alpha.28, =1.121.0-alpha.28, =1.121.0-alpha.28, =1.121.0-alpha.28, =1.20.3-alpha.1, =1.114.29, =1.130.0, =1.97.4, =1.120.20 and more Source cves: unknown CVE Source...

Malicious code in @tanstack/virtual-file-routes (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c95e413c2e182a7d35b0ec3ba9f2a979d63c77c1a7f20a6204059f7b66b433bc Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/vue-router-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7f7c609f55255a1ab5f7fc348536514f317d138538af5ec61ef4efc5a18b9014 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

PT-2026-39905

Name of the Vulnerable Software and Affected Versions TanStack affected versions not specified Description A supply chain attack involving a self-propagating worm known as Mini Shai-Hulud allowed the publication of malicious versions of 42 @tanstack/ packages to the npm registry. The attacker...

TanStack Query 安全漏洞

TanStack Query is an open-source library developed by TanStack, featuring a complete set of functions and supporting TypeScript. There is a security vulnerability in TanStack Query. This vulnerability stems from attackers exploiting configuration errors in the pullrequesttarget, GitHub Actions...

MAL-2026-3497 Malicious code in @tanstack/vue-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 925332e137c53fc83198f6ce65ec615c060124cbd8d1a5b23b9186c6494dbfba Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2bd6f7a2fea608220d5d0783a4762813d4200689bc99a551bca4304e2b681022 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@abhishekbarve/react-components (>=1.0.1 <=1.0.8), @adpush/start (>=1.87.15 <=1.87.16) +141 more potentially affected by unknown CVE via @tanstack/router-plugin (>=1.121.0-alpha.28 <=1.167.4)

@tanstack/router-plugin NPM version =1.121.0-alpha.28, =1.0.1, =1.87.15, =0.1.0, =0.0.2-canary.11, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =0.2.0, =0.2.0, =0.2.12 - @dauphaihau/react-template =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3477...

MAL-2026-3477 Malicious code in @tanstack/router-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2bd6f7a2fea608220d5d0783a4762813d4200689bc99a551bca4304e2b681022 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3495 Malicious code in @tanstack/vue-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 23dd073c586a2dad28ee9957fd8a3059bcbb261fbbb6a17e3b99a7145158ef8d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@tanstack/vue-start (>=1.141.0 <=1.167.58), @tanstack/vue-start-client (>=1.141.0 <=1.166.43) +1 more potentially affected by unknown CVE via @tanstack/vue-router (>=1.141.0 <=1.169.2)

@tanstack/vue-router NPM version =1.141.0, =1.141.0, =1.141.0, =1.141.0, =1.166.47 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3495...

Malicious code in @tanstack/vue-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 23dd073c586a2dad28ee9957fd8a3059bcbb261fbbb6a17e3b99a7145158ef8d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@abhishekbarve/react-components (>=1.0.1 <=1.0.8), @adpush/start (>=1.87.15 <=1.87.16) +148 more potentially affected by unknown CVE via @tanstack/router-generator (>=1.10.0 <=1.166.42)

@tanstack/router-generator NPM version =1.10.0, =1.0.1, =1.87.15, =0.1.0, =0.0.2-canary.11, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =0.1.0, =1.0.0, =0.2.0, =0.2.0, =0.2.12 - @dauphaihau/react-template =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3476...