CVE-2026-45321: Critical Supply Chain Compromise in @tanstack Packages via GitHub Actions Misconfiguration
Vulnerability ID: CVE-2026-45321
CVSS Score: 9.6
Published: 2026-05-12
On May 11, 2026, threat actors executed a multi-stage supply chain attack against the @tanstack ecosystem. By exploiting a pull_request_target misconfiguration in GitHub Actions, attackers poisoned build caches and extracted OIDC tokens from memory. This allowed the unauthorized publication of 84 malicious package versions containing credential-stealing malware.
TL;DR
A misconfigured GitHub Actions workflow allowed attackers to extract OIDC tokens from runner memory, resulting in the unauthorized publishing of 84 credential-stealing @tanstack npm packages.
⚠️ Exploit Status: ACTIVE
Technical Details
- CVE ID: CVE-2026-45321
- CVSS Score: 9.6
- CWE ID: CWE-506
- Attack Vector: Network
- Exploit Status: Active
- KEV Status: Not Listed
Affected Systems
- @tanstack/arktype-adapter
- @tanstack/eslint-plugin-router
- @tanstack/history
- @tanstack/react-router
- @tanstack/react-start
- GitHub Actions Runners
- npm Registry
- @tanstack/arktype-adapter: 1.166.12, 1.166.15
- @tanstack/eslint-plugin-router: 1.161.9, 1.161.12
- @tanstack/eslint-plugin-start: 0.0.4, 0.0.7
- @tanstack/history: 1.161.9, 1.161.12
- @tanstack/nitro-v2-vite-plugin: 1.154.12, 1.154.15
- @tanstack/react-router: 1.169.5, 1.169.8
- @tanstack/react-router-devtools: 1.166.16, 1.166.19
- @tanstack/react-router-ssr-query: 1.166.15, 1.166.18
- @tanstack/react-start: 1.167.68, 1.167.71
- @tanstack/react-start-client: 1.166.51, 1.166.54
- @tanstack/react-start-rsc: 0.0.47, 0.0.50
- @tanstack/react-start-server: 1.166.55, 1.166.58
- @tanstack/router-cli: 1.166.46, 1.166.49
- @tanstack/router-core: 1.169.5, 1.169.8
- @tanstack/router-devtools: 1.166.16, 1.166.19
- @tanstack/router-devtools-core: 1.167.6, 1.167.9
- @tanstack/router-generator: 1.166.45, 1.166.48
- @tanstack/router-plugin: 1.167.38, 1.167.41
- @tanstack/router-ssr-query-core: 1.168.3, 1.168.6
- @tanstack/router-utils: 1.161.11, 1.161.14
- @tanstack/outer-vite-plugin: 1.166.53, 1.166.56
- @tanstack/solid-router: 1.169.5, 1.169.8
- @tanstack/solid-router-devtools: 1.166.16, 1.166.19
- @tanstack/solid-router-ssr-query: 1.166.15, 1.166.18
- @tanstack/solid-start: 1.167.65, 1.167.68
- @tanstack/solid-start-client: 1.166.50, 1.166.53
- @tanstack/solid-start-server: 1.166.54, 1.166.57
- @tanstack/start-client-core: 1.168.5, 1.168.8
- @tanstack/start-fn-stubs: 1.161.9, 1.161.12
- @tanstack/start-plugin-core: 1.169.23, 1.169.26
- @tanstack/start-server-core: 1.167.33, 1.167.36
- @tanstack/start-static-server-functions: 1.166.44, 1.166.47
- @tanstack/start-storage-context: 1.166.38, 1.166.41
- @tanstack/valibot-adapter: 1.166.12, 1.166.15
- @tanstack/virtual-file-routes: 1.161.10, 1.161.13
- @tanstack/vue-router: 1.169.5, 1.169.8
- @tanstack/vue-router-devtools: 1.166.16, 1.166.19
- @tanstack/vue-router-ssr-query: 1.166.15, 1.166.18
- @tanstack/vue-start: 1.167.61, 1.167.64
- @tanstack/vue-start-client: 1.166.46, 1.166.49
- @tanstack/vue-start-server: 1.166.50, 1.166.53
- @tanstack/zod-adapter: 1.166.12, 1.166.15
Code Analysis
Commit: 79ac49e
Historical malicious orphan commit containing the prepare script payload
Mitigation Strategies
- Avoid pull_request_target with actions/checkout on untrusted code
- Enforce Principle of Least Privilege for OIDC id-token permissions
- Implement runner-level memory isolation (e.g., restrict ptrace)
- Audit lockfiles for anomalous Git URL dependencies
Remediation Steps:
- Identify all systems where affected @tanstack packages were installed after May 11, 2026.
- Immediately rotate all local AWS, GCP, Azure, and Kubernetes credentials.
- Revoke and rotate GitHub PATs, SSH keys, and .npmrc tokens.
- Execute
npm cache clean --forceor equivalent to purge local package caches. - Remove the malicious versions from project dependencies and update lockfiles.
References
Read the full report for CVE-2026-45321 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)