CVE-2026-45321
Vulnerability Summary
Timeline
Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 2.34%• Percentile: 82%
Techniques & Countermeasures
- CWE-506•Embedded Malicious Code
The product contains code that appears to be malicious in nature.
Affected Systems
- abhishake1•supersurkhet\/cli
0.0.2 | 0.0.3 | 0.0.4 | 0.0.5 | 0.0.6 | 0.0.7
- abhishake1•supersurkhet\/sdk
0.0.2 | 0.0.3 | 0.0.4 | 0.0.5 | 0.0.6 | 0.0.7
- abhishake1•taskflow-corp\/cli
0.1.24 | 0.1.25 | 0.1.26 | 0.1.27 | 0.1.28 | 0.1.29
- agentworkhq•agentwork-cli
0.1.4 | 0.1.5
- antoinebcx•ml-toolkit-ts
1.0.4 | 1.0.5
- antoinebcx•ml-toolkit-ts\/preprocessing
1.0.2 | 1.0.3
- antoinebcx•ml-toolkit-ts\/xgboost
1.0.3 | 1.0.4
- beproduct•beproduct\/nestjs-auth
0.1.2 | 0.1.3 | 0.1.4 | 0.1.5 | 0.1.6 | 0.1.7 | 0.1.8 | 0.1.9 | 0.1.10 | 0.1.11 | 0.1.12 | 0.1.13 | 0.1.14 | 0.1.15 | 0.1.16 | 0.1.17 | 0.1.19
- christianalares•git_branch_selector
1.3.3 | 1.3.4 | 1.3.5 | 1.3.7
- christianalares•git-git-git
1.0.8 | 1.0.9 | 1.0.10 | 1.0.12
- christianalares•nextmove-mcp
0.1.3 | 0.1.4 | 0.1.5 | 0.1.7
- christianalares•tolka\/cli
1.0.2 | 1.0.3 | 1.0.4 | 1.0.6
- dirigible•dirigible-ai\/sdk
0.6.2 | 0.6.3
- guardrailsai•guardrails_ai
0.10.1
- kilbot•tallyui\/components
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/connector-medusa
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/connector-shopify
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/connector-vendure
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/connector-woocommerce
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/core
0.2.1 | 0.2.2 | 0.2.3
- kilbot•tallyui\/database
1.0.1 | 1.0.2 | 1.0.3
- kilbot•tallyui\/pos
0.1.1 | 0.1.2 | 0.1.3
- kilbot•tallyui\/storage-sqlite
0.2.1 | 0.2.2 | 0.2.3
- kilbot•tallyui\/theme
0.2.1 | 0.2.2 | 0.2.3
- linuxfoundation•opensearch
3.6.2
- matheuspergoli•draftauth\/client
0.2.1 | 0.2.2
- matheuspergoli•draftauth\/core
0.13.1 | 0.13.2
- matheuspergoli•draftlab\/auth
0.24.1 | 0.24.2
- matheuspergoli•draftlab\/auth-router
0.5.1 | 0.5.2
- matheuspergoli•draftlab\/db
0.16.1 | 0.16.2
- matheuspergoli•simple_type-safe_actions
0.8.3 | 0.8.4
- mesa•mesadev\/rest
0.28.3
- mesa•mesadev\/saguaro
0.4.22
- mesa•mesadev\/sdk
0.28.3
- mistral•mistralai
2.4.6
- mistral•mistralai\/mistralai
2.2.3 | 2.2.4
- mistral•mistralai\/mistralai-azure
1.7.2 | 1.7.3
- mistral•mistralai\/mistralai-gcp
1.7.2 | 1.7.3
- multiagentcognition•cmux-agent-mcp
0.1.3 | 0.1.4 | 0.1.5 | 0.1.6 | 0.1.7 | 0.1.8
- neilcochran•cross-stitch
1.1.3 | 1.1.4 | 1.1.6
- neilcochran•squawk\/airports
0.6.2 | 0.6.3 | 0.6.5
- neilcochran•squawk\/airspace
0.8.1 | 0.8.2 | 0.8.4
- neilcochran•squawk\/airspace-data
0.5.3 | 0.5.4 | 0.5.6
- neilcochran•squawk\/airway-data
0.5.4 | 0.5.5 | 0.5.7
- neilcochran•squawk\/airways
0.4.2 | 0.4.3 | 0.4.5
- neilcochran•squawk\/fix-data
0.6.4 | 0.6.5 | 0.6.7
- neilcochran•squawk\/fixes
0.3.2 | 0.3.3 | 0.3.5
- neilcochran•squawk\/flight-math
0.5.4 | 0.5.5 | 0.5.7
- neilcochran•squawk\/flightplan
0.5.2 | 0.5.3 | 0.5.5
- neilcochran•squawk\/geo
0.4.4 | 0.4.5 | 0.4.7
Showing first 50 affected entries in server-rendered view.
References (8)
- https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
- https://github.com/TanStack/router/issues/7383
- https://github.com/TanStack/router
- https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
- https://nvd.nist.gov/vuln/detail/CVE-2026-45321
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321