Embedded Malicious Code

Overview tanstack is a TanStack Player — A developer-first, universal Video Player SDK built on Video.js with headless hooks, plugin architecture, and React-first DX Affected versions of this package are vulnerable to Embedded Malicious Code that exfiltrates environment variables from developers'...

Exploit for CVE-2026-26903

CVE-2026-26903 PoC Denial-of-service via unbounded recursio...

@clerk/agent-toolkit (>=0.3.1-canary.v20260303211310 <=0.3.16-snapshot.v20260416221307), @clerk/astro (>=3.0.1-canary.v20260303211310 <=3.0.19-canary.v20260422163039) +9 more potentially affected by CVE-2026-34076 via @clerk/backend (>=3.0.0 <=3.2.3-snapshot.v20260327200941)

@clerk/backend NPM version =3.0.0, =0.3.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310, =0.0.3-canary.v20260303211310, =7.0.1-canary.v20260303211310, =2.0.1-canary.v20260303211310, =3.0.1-canary.v20260303211310,...

@abysslabs/cli (=0.0.2), @analogjs/vite-plugin-nitro (>=2.4.0-alpha.2 <=3.0.0-alpha.1) +27 more potentially affected by CVE-2026-33490 via h3 (>=2.0.1-rc.11 <=2.0.1-rc.16)

h3 NPM version =2.0.1-rc.11, =2.4.0-alpha.2, =3.23.1-20260131-121433-34f631e, =0.15.0, =1.154.7, =0.0.1, =1.154.7, =1.154.7, =1.154.7, =2.0.0-beta.19 and more Source cves: CVE-2026-33490 Source advisory: SNYK:JS-H3-15745916...

编号撤回

“form” is a form state management program developed by TanStack. “R” is a statistical computing software provided by The R Foundation. This CVE number has been withdrawn...

@any-code/agent (>=0.0.1 <=0.0.16), @aweto-agent/cli (>=1.7.2 <=1.8.0) +110 more potentially affected by unknown CVE via hono (>=4.0.0 <=4.11.1)

hono NPM version =4.0.0, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =1.0.2, =1.0.0, =4.0.0-alpha.28, =0.4.6, =1.1.54, =1.1.54, =0.1.0, =0.5.4 and more Source cves: unknown CVE Source advisory: SNYK:JS-HONO-15322749...

Malicious code in tanstack-shadcn-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd82454ff234aa46b67b1813010ca3e7c45defc2172690c8c94fc74e2e09f6dc The package tanstack-shadcn-table was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191018 Malicious code in tanstack-shadcn-table (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd82454ff234aa46b67b1813010ca3e7c45defc2172690c8c94fc74e2e09f6dc The package tanstack-shadcn-table was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199025

Malicious code in tanstack-shadcn-table npm...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

EUVD-2024-0312

Malicious code in bioql PyPI...

EUVD-2024-53513

Malicious code in bioql PyPI...

MAL-2025-41275 Malicious code in tanstack-virtual-core (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b38d98c47aceac75b944aff9d0df30a563d89aaa076329820aa58b119e010448 The OpenSSF Package Analysis project identified 'tanstack-virtual-cor...

Malicious code in tanstack-virtual-core (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis b38d98c47aceac75b944aff9d0df30a563d89aaa076329820aa58b119e010448 The OpenSSF Package Analysis project identified 'tanstack-virtual-cor...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, Inc. form is an open source form state management program from TanStack. A security vulnerability exists in Google Chrome that stems from an improper implementation of the picture-in-picture feature...

@async-atharv/ipaship (>=1.2.1 <=1.2.2), @bentwnghk/chat (>=1.85.2 <=1.107.2) +96 more potentially affected by CVE-2025-53548 via @clerk/backend (>=2.0.0 <=2.33.5)

@clerk/backend NPM version =2.0.0, =1.2.1, =1.85.2, =0.0.1, =3.0.3, =0.1.0, =2.8.0-snapshot.v20250514155045, =1.5.0-snapshot.v20250514155045, =2.3.0, =6.20.0-snapshot.v20250514155045, =1.7.0, =1.5.0, =4.8.0, =0.16.0, =1.7.0-snapshot.v20250514155045, =1.0.4, =1.0.7 and more Source cves:...

CVE-2024-57068

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

GHSA-GGV3-VMGW-XV2Q @tanstack/form-core prototype pollution

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...

@account-kit/react (>=4.0.0 <=4.88.4), @account-kit/react-native (>=4.15.0 <=4.88.4) +50 more potentially affected by CVE-2024-57068 via @tanstack/form-core (>=0.0.1 <=0.42.0)

@tanstack/form-core NPM version =0.0.1, =4.0.0, =4.15.0, =3.13.0, =0.0.1, =0.1.1, =0.0.1, =1.0.0, =0.3.5, =0.3.3, =3.0.0 and more Source cves: CVE-2024-57068 Source advisory: OSV:GHSA-GGV3-VMGW-XV2Q...

CVE-2024-57068

A prototype pollution in the lib.mutateMergeDeep function of @tanstack/form-core v0.35.0 allows attackers to cause a Denial of Service DoS via supplying a crafted payload...