Malicious Package Injection in TanStack Products by npm Attackers
CVE-2026-45321

9.6CRITICAL

Key Information:

Vendor: @tanstack
Status: Arktype-adapter; Eslint-plugin-router; Eslint-plugin-start; History
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-45321?

On May 11, 2026, an attacker exploited multiple vulnerabilities to inject malicious versions of 84 packages across 42 TanStack npm packages. The malicious versions were published using legitimate GitHub Actions, taking advantage of a misconfiguration in pull_request_target workflows and a known cache poisoning flaw. This complex attack allowed the attacker to leverage a trusted identity to distribute malware capable of stealing credentials. Each affected package received two versions with this malicious content shortly after each other, highlighting a significant risk in package management ecosystems.

Affected Version(s)

arktype-adapter 1.166.12

arktype-adapter 1.166.15

eslint-plugin-router 1.161.9

References

https://github.com/TanStack/router/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/TanStack/router/issues/7383

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 11, 2026

CVE-2026-45321 Data

JSON

@tanstack

What is CVE-2026-45321?

Affected Version(s)

References

CVSS V3.1

Timeline