CVE-2026-45321

Published: Mag 12, 2026 Last Modified: Mag 12, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 9,6

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: required

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target 'Pwn Request' misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

506

Embedded Malicious Code

Incomplete

Abstraction: Class Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Execute Unauthorized Code Or Commands

Applicable Platforms

All platforms may be affected

View CWE Details

https://github.com/TanStack/router/issues/7383

https://github.com/TanStack/router/security/advisories/GHSA…

https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx

CVE-2026-45321

Description

Embedded Malicious Code

Common Consequences

Applicable Platforms

Iscriviti alla newsletter