@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +120 more potentially affected by unknown CVE via @tanstack/start-client-core (>=1.121.0-alpha.28 <=1.168.2)

@tanstack/start-client-core NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3487...

@alivault/pico (>=0.1.0 <=0.1.2), @ardeora/start-devtools (>=1.0.0 <=1.0.1) +92 more potentially affected by unknown CVE via @tanstack/react-start-client (>=1.121.0-alpha.28 <=1.166.48)

@tanstack/react-start-client NPM version =1.121.0-alpha.28, =0.1.0, =1.0.0, =0.0.1, =0.5.2, =0.1.1, =0.0.4, =1.0.0, =0.2.0, =0.2.0, =0.1.1, =0.2.0, =0.2.0, =0.1.14, =0.1.0, =0.1.38 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3469...

Malicious code in @tanstack/react-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8358ce998650baf1a9cb6bb602109da81268c43855ad0b16f892687cc89f104d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...