Malicious Package Injection in TanStack Products by npm Attackers
CVE-2026-45321

9.6CRITICAL

Key Information:

Vendor

@tanstack

Status
Arktype-adapter
Eslint-plugin-router
Eslint-plugin-start
History
Vendor
CVE Published:
12 May 2026

Badges

πŸ“ˆ Score: 308πŸ’° RansomwareπŸ‘Ύ Exploit Exists🟑 Public PoC🟣 EPSS 17%πŸ¦… CISA Reported

What is CVE-2026-45321?

CVE-2026-45321 is a significant vulnerability affecting various TanStack products that utilize the npm package registry. This vulnerability arises from a malicious package injection attack where unauthorized versions of TanStack packages were published to npm, exploiting a combination of three established vulnerability classes. The attackers leveraged GitHub Actions misconfigurations and memory extraction techniques to publish malware disguised as legitimate packages. This could severely impact organizations using TanStack products by compromising the integrity of their software supply chain, allowing malicious actors to execute credential-stealing actions, which could result in unauthorized access to sensitive information and potentially lead to larger systemic compromises.

Potential impact of CVE-2026-45321

  1. Credential Theft: The malicious packages contain malware designed to extract sensitive credentials from systems that utilize the affected TanStack products. This could lead to unauthorized access to user data and organizational resources.

  2. Supply Chain Compromise: By injecting malicious versions of trusted packages, attackers can undermine the integrity of the software supply chain, affecting not just immediate targets but also downstream users who rely on these packages, leading to widespread vulnerability propagation.

  3. System Compromise: Deployment of the infected packages can enable attackers to gain control over affected systems, establishing them as footholds for further exploitation or lateral movement within an organization's network, increasing the risk of data breaches and ransomware attacks.

CISA has reported CVE-2026-45321

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2026-45321 as being exploited and is known by the CISA as enabling ransomware campaigns.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

arktype-adapter 1.166.12

arktype-adapter 1.166.15

eslint-plugin-router 1.161.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

are-you-get-tanstack-attack
Created by Yomisana

shai-hulud-scan
Created by shayr1

tanstack-shield
Created by Caixa-git

References

https://github.com/TanStack/router/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/TanStack/router/issues/7383
x_refsource_MISC
https://tanstack.com/blog/npm-supply-chain-compromise-pos...
x_refsource_MISC

EPSS Score

17% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • πŸ’°

    Used in Ransomware

  • πŸ¦…

    CISA Reported

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.