Malicious code in @tanstack/vue-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b11c2f37aa0a8c4d809c3136f8f7c227c463f4f8e7a2b4515336b730941dcc4c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3499 Malicious code in @tanstack/vue-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b11c2f37aa0a8c4d809c3136f8f7c227c463f4f8e7a2b4515336b730941dcc4c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3480 Malicious code in @tanstack/router-vite-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 59c369975f931e9f8a4ca499e887c2ec41f7d1dbfcdcb83fa9e6ec9717ea4910 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3483 Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-start-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4905d7bb1a4d6f69ec73fe4cc8fa958262fcab1397fed5725ac39db447f6239a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/solid-router-devtools (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d97a7cf294a17c17e22c7eead7d3de9f693c5488aecba96129d5b79b52f430de This version falls within the @tanstack/ package family compromised on 2026-05-11. The campaign published 42 packages × 2 versions each with the...

Malicious code in @tanstack/solid-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 79e1b5cf7bf19cbf81420be17e5aad851d9f2e2943848f3a4b295e2ed7a8ed2c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3481 Malicious code in @tanstack/solid-router (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 79e1b5cf7bf19cbf81420be17e5aad851d9f2e2943848f3a4b295e2ed7a8ed2c Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 44bca8f9294a1b6c949228c6741851305336a0b694ce00617c6fcd4b220c30a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3479 Malicious code in @tanstack/router-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 44bca8f9294a1b6c949228c6741851305336a0b694ce00617c6fcd4b220c30a1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3478 Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Summary On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow...

@tanstack/vue-start (=1.166.5) potentially affected by CVE-2026-45321 via @tanstack/vue-start-client (=1.166.5)

@tanstack/vue-start-client NPM version =1.166.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/vue-start-client and may be impacted: - @tanstack/vue-start =1.166.5 Source cves: CVE-2026-45321 Source advisory: OSV:GHSA-G7CV-RXG3-HMPX...

@tanstack/router-devtools (=1.166.2) potentially affected by CVE-2026-45321 via @tanstack/react-router-devtools (=1.166.2)

@tanstack/react-router-devtools NPM version =1.166.2 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-router-devtools and may be impacted: - @tanstack/router-devtools =1.166.2 Source cves: CVE-2026-45321 Source advisory:...

@tanstack/react-start (=1.166.4), @tanstack/react-start-client (=1.166.4) +11 more potentially affected by CVE-2026-45321 via @tanstack/start-storage-context (=1.166.4)

@tanstack/start-storage-context NPM version =1.166.4 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/start-storage-context and may be impacted: - @tanstack/react-start =1.166.4 - @tanstack/react-start-client =1.166.4 -...

@tanstack/react-start (>=1.167.5 <=1.167.6), @tanstack/router-vite-plugin (=1.166.19) +3 more potentially affected by CVE-2026-45321 via @tanstack/router-plugin (=1.167.4)

@tanstack/router-plugin NPM version =1.167.4 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/router-plugin and may be impacted: - @tanstack/react-start =1.167.5, =1.167.5, =1.167.8, =1.167.5, =1.167.6 Source cves: CVE-2026-45321 Source...

@tanstack/react-start (=1.167.25) potentially affected by CVE-2026-45321 via @tanstack/react-start-rsc (=0.0.5)

@tanstack/react-start-rsc NPM version =0.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on @tanstack/react-start-rsc and may be impacted: - @tanstack/react-start =1.167.25 Source cves: CVE-2026-45321 Source advisory: OSV:GHSA-G7CV-RXG3-HMPX...