Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

TanStack GitHub Actions Trusted Publisher Supply Chain Compromise

IdentifiersCVE-2026-45321CWE-829

CVE-2026-45321 is a critical supply-chain vulnerability affecting TanStack’s npm publishing pipeline. On 2026-05-11, attackers published 84 malicious versions across 42 @tanstack/* packages to the npm registry within approximately six minutes. The publishes were authenticated through TanStack/router’s legitimate GitHub Actions OIDC trusted-publisher binding, and the publish workflow itself was reportedly not modified. The compromise was achieved through a chained exploitation of multiple CI/CD weaknesses: a pull_request_target workflow misconfiguration that allowed fork-controlled code to execute in the privileged context of the base repository, GitHub Actions cache poisoning across the fork-to-base trust boundary, and runtime extraction of the OIDC token from the Actions runner process memory. The stolen OIDC token was then exchanged through npm trusted publishing to obtain publish capability under TanStack’s legitimate identity. The resulting malicious package versions contained credential-stealing malware and, in some reporting, carried valid Sigstore/SLSA provenance because they were built and published by the legitimate release pipeline.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allowed attackers to subvert TanStack’s trusted release process and distribute trojanized package versions under the project’s legitimate publisher identity. Downstream users who installed affected versions risked execution of credential-stealing malware on developer workstations and CI runners, with theft of secrets such as GitHub tokens, npm tokens, cloud credentials, Kubernetes and Vault tokens, and SSH material. Because the malicious artifacts were published through the legitimate pipeline, they could appear trustworthy to consumers and automated controls, including provenance-based trust mechanisms. The compromise therefore enabled broad software supply-chain impact, downstream credential theft, unauthorized access to source control and cloud environments, and potential further propagation into additional packages and environments.

Mitigation

If you can’t patch tonight, do this now.

Until full remediation is complete, pin TanStack dependencies to known-good versions published before the malicious release window on 2026-05-11, remove existing installations, and reinstall only from verified clean lockfiles. Temporarily disable package lifecycle scripts where operationally feasible to reduce install-time execution risk. Audit CI/CD and developer environments that performed npm, pnpm, or yarn installs of affected TanStack versions during the compromise window and treat those hosts as exposed. On the CI/CD side, disable or redesign workflows that execute fork-originated code in privileged contexts, segregate caches across trust boundaries, pin GitHub Actions to immutable revisions, minimize id-token permissions, and monitor for anomalous OIDC token use and unexpected package publication events. Block known attacker infrastructure and exfiltration endpoints where available from threat intelligence.

Remediation

Patch, then assume compromise.

Upgrade all affected @tanstack/* packages to vendor-designated fixed versions or later and remove any malicious versions from dependency manifests and lockfiles. Rebuild dependencies from a clean lockfile, delete node_modules or equivalent package caches, and ensure no compromised tarballs remain in internal mirrors or artifact caches. Treat any developer workstation or CI runner that installed affected versions during the exposure window as potentially compromised: rotate all credentials accessible to those environments, including GitHub, npm, cloud, Kubernetes, Vault, and SSH credentials; review audit logs for unauthorized use; and rebuild or reimage impacted systems where appropriate. For the publisher side, harden GitHub Actions workflows by eliminating unsafe pull_request_target patterns, separating untrusted and trusted execution contexts, invalidating poisoned caches, and restricting trusted publisher/OIDC permissions to protected branches and tightly scoped workflows.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 10 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 10 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Abhishake1Supersurkhet/Cliapplication
Abhishake1Supersurkhet/Sdkapplication
Abhishake1Taskflow-Corp/Cliapplication
AgentworkhqAgentwork-Cliapplication
AntoinebcxMl-Toolkit-Tsapplication
AntoinebcxMl-Toolkit-Ts/Preprocessingapplication
AntoinebcxMl-Toolkit-Ts/Xgboostapplication
BeProductBeproduct/Nestjs-Authapplication
ChristianalaresGit Branch Selectorapplication
ChristianalaresGit-Git-Gitapplication
ChristianalaresNextmove-Mcpapplication
ChristianalaresTolka/Cliapplication
DirigibleDirigible-Ai/Sdkapplication
GuardrailsaiGuardrails Aiapplication
KilbotTallyui/Componentsapplication
KilbotTallyui/Connector-Medusaapplication
KilbotTallyui/Connector-Shopifyapplication
KilbotTallyui/Connector-Vendureapplication
KilbotTallyui/Connector-Woocommerceapplication
KilbotTallyui/Coreapplication
KilbotTallyui/Databaseapplication
KilbotTallyui/Posapplication
KilbotTallyui/Storage-Sqliteapplication
KilbotTallyui/Themeapplication
Linux FoundationOpensearchapplication
MatheuspergoliDraftauth/Clientapplication
MatheuspergoliDraftauth/Coreapplication
MatheuspergoliDraftlab/Authapplication
MatheuspergoliDraftlab/Auth-Routerapplication
MatheuspergoliDraftlab/Dbapplication
MatheuspergoliSimple Type-Safe Actionsapplication
MesaMesadev/Restapplication
MesaMesadev/Saguaroapplication
MesaMesadev/Sdkapplication
Mistral AIMistralaiapplication
Mistral AIMistralai/Mistralaiapplication
Mistral AIMistralai/Mistralai-Azureapplication
Mistral AIMistralai/Mistralai-Gcpapplication
MultiagentcognitionCmux-Agent-Mcpapplication
NeilcochranCross-Stitchapplication
NeilcochranSquawk/Airportsapplication
NeilcochranSquawk/Airspaceapplication
NeilcochranSquawk/Airspace-Dataapplication
NeilcochranSquawk/Airway-Dataapplication
NeilcochranSquawk/Airwaysapplication
NeilcochranSquawk/Fix-Dataapplication
NeilcochranSquawk/Fixesapplication
NeilcochranSquawk/Flight-Mathapplication
NeilcochranSquawk/Flightplanapplication
NeilcochranSquawk/Geoapplication
NeilcochranSquawk/Icao-Registryapplication
NeilcochranSquawk/Icao-Registry-Dataapplication
NeilcochranSquawk/Mcpapplication
NeilcochranSquawk/Navaid-Dataapplication
NeilcochranSquawk/Navaidsapplication
NeilcochranSquawk/Notamsapplication
NeilcochranSquawk/Procedure-Dataapplication
NeilcochranSquawk/Proceduresapplication
NeilcochranSquawk/Typesapplication
NeilcochranSquawk/Unitsapplication
NeilcochranSquawk/Weatherapplication
NeilcochranTs-Dnaapplication
NeilcochranWot-Apiapplication
TanstackArktype-Adapterapplication
TanstackEslint-Plugin-Routerapplication
TanstackEslint-Plugin-Startapplication
TanstackHistoryapplication
TanstackNitro-V2-Vite-Pluginapplication
TanstackReact-Routerapplication
TanstackReact-Router-Devtoolsapplication
TanstackReact-Router-Ssr-Queryapplication
TanstackReact-Startapplication
TanstackReact-Start-Clientapplication
TanstackReact-Start-Rscapplication
TanstackReact-Start-Serverapplication
TanstackRouter-Cliapplication
TanstackRouter-Coreapplication
TanstackRouter-Devtoolsapplication
TanstackRouter-Devtools-Coreapplication
TanstackRouter-Generatorapplication
TanstackRouter-Pluginapplication
TanstackRouter-Ssr-Query-Coreapplication
TanstackRouter-Utilsapplication
TanstackRouter-Vite-Pluginapplication
TanstackSolid-Routerapplication
TanstackSolid-Router-Devtoolsapplication
TanstackSolid-Router-Ssr-Queryapplication
TanstackSolid-Startapplication
TanstackSolid-Start-Clientapplication
TanstackSolid-Start-Serverapplication
TanstackStart-Client-Coreapplication
TanstackStart-Fn-Stubsapplication
TanstackStart-Plugin-Coreapplication
TanstackStart-Server-Coreapplication
TanstackStart-Static-Server-Functionsapplication
TanstackStart-Storage-Contextapplication
TanstackTanstack/Arktype-Adapterapplication
TanstackTanstack/Eslint-Plugin-Routerapplication
TanstackTanstack/Eslint-Plugin-Startapplication
TanstackTanstack/Historyapplication
TanstackTanstack/Nitro-V2-Vite-Pluginapplication
TanstackTanstack/React-Routerapplication
TanstackTanstack/React-Router-Devtoolsapplication
TanstackTanstack/React-Router-Ssr-Queryapplication
TanstackTanstack/React-Startapplication
TanstackTanstack/React-Start-Clientapplication
TanstackTanstack/React-Start-Rscapplication
TanstackTanstack/React-Start-Serverapplication
TanstackTanstack/Router-Cliapplication
TanstackTanstack/Router-Coreapplication
TanstackTanstack/Router-Devtoolsapplication
TanstackTanstack/Router-Devtools-Coreapplication
TanstackTanstack/Router-Generatorapplication
TanstackTanstack/Router-Pluginapplication
TanstackTanstack/Router-Ssr-Query-Coreapplication
TanstackTanstack/Router-Utilsapplication
TanstackTanstack/Router-Vite-Pluginapplication
TanstackTanstack/Solid-Routerapplication
TanstackTanstack/Solid-Router-Devtoolsapplication
TanstackTanstack/Solid-Router-Ssr-Queryapplication
TanstackTanstack/Solid-Startapplication
TanstackTanstack/Solid-Start-Clientapplication
TanstackTanstack/Solid-Start-Serverapplication
TanstackTanstack/Start-Client-Coreapplication
TanstackTanstack/Start-Fn-Stubsapplication
TanstackTanstack/Start-Plugin-Coreapplication
TanstackTanstack/Start-Server-Coreapplication
TanstackTanstack/Start-Static-Server-Functionsapplication
TanstackTanstack/Start-Storage-Contextapplication
TanstackTanstack/Valibot-Adapterapplication
TanstackTanstack/Virtual-File-Routesapplication
TanstackTanstack/Vue-Routerapplication
TanstackTanstack/Vue-Router-Devtoolsapplication
TanstackTanstack/Vue-Router-Ssr-Queryapplication
TanstackTanstack/Vue-Startapplication
TanstackTanstack/Vue-Start-Clientapplication
TanstackTanstack/Vue-Start-Serverapplication
TanstackTanstack/Zod-Adapterapplication
TanstackValibot-Adapterapplication
TanstackVirtual-File-Routesapplication
TanstackVue-Routerapplication
TanstackVue-Router-Devtoolsapplication
TanstackVue-Router-Ssr-Queryapplication
TanstackVue-Startapplication
TanstackVue-Start-Clientapplication
TanstackVue-Start-Serverapplication
TanstackZod-Adapterapplication
UipathUipath/Access-Policy-Sdkapplication
UipathUipath/Access-Policy-Toolapplication
UipathUipath/Admin-Toolapplication
UipathUipath/Agent-Sdkapplication
UipathUipath/Agent-Toolapplication
UipathUipath/Agent.Sdkapplication
UipathUipath/Aops-Policy-Toolapplication
UipathUipath/Ap-Chatapplication
UipathUipath/Api-Workflow-Toolapplication
UipathUipath/Apollo-Coreapplication
UipathUipath/Apollo-Reactapplication
UipathUipath/Apollo-Windapplication
UipathUipath/Authapplication
UipathUipath/Case-Toolapplication
UipathUipath/Cliapplication
UipathUipath/Codedagent-Toolapplication
UipathUipath/Codedagents-Toolapplication
UipathUipath/Codedapp-Toolapplication
UipathUipath/Commonapplication
UipathUipath/Context-Grounding-Toolapplication
UipathUipath/Data-Fabric-Toolapplication
UipathUipath/Docsai-Toolapplication
UipathUipath/Filesystemapplication
UipathUipath/Flow-Toolapplication
UipathUipath/Functions-Toolapplication
UipathUipath/Gov-Toolapplication
UipathUipath/Identity-Toolapplication
UipathUipath/Insights-Sdkapplication
UipathUipath/Insights-Toolapplication
UipathUipath/Integrationservice-Sdkapplication
UipathUipath/Integrationservice-Toolapplication
UipathUipath/Llmgw-Toolapplication
UipathUipath/Maestro-Sdkapplication
UipathUipath/Maestro-Toolapplication
UipathUipath/Orchestrator-Toolapplication
UipathUipath/Packager-Tool-Apiworkflowapplication
UipathUipath/Packager-Tool-Bpmnapplication
UipathUipath/Packager-Tool-Caseapplication
UipathUipath/Packager-Tool-Connectorapplication
UipathUipath/Packager-Tool-Flowapplication
UipathUipath/Packager-Tool-Functionsapplication
UipathUipath/Packager-Tool-Webappapplication
UipathUipath/Packager-Tool-Workflowcompilerapplication
UipathUipath/Packager-Tool-Workflowcompiler-Browserapplication
UipathUipath/Platform-Toolapplication
UipathUipath/Project-Packagerapplication
UipathUipath/Resource-Toolapplication
UipathUipath/Resourcecatalog-Toolapplication
UipathUipath/Resources-Toolapplication
UipathUipath/Robotapplication
UipathUipath/Rpa-Legacy-Toolapplication
UipathUipath/Rpa-Toolapplication
UipathUipath/Solution-Packagerapplication
UipathUipath/Solution-Toolapplication
UipathUipath/Solutionpackager-Sdkapplication
UipathUipath/Solutionpackager-Tool-Coreapplication
UipathUipath/Tasks-Toolapplication
UipathUipath/Telemetryapplication
UipathUipath/Test-Manager-Toolapplication
UipathUipath/Tool-Workflowcompilerapplication
UipathUipath/Traces-Toolapplication
UipathUipath/Ui-Widgets-Multi-File-Uploadapplication
UipathUipath/Uipath-Python-Bridgeapplication
UipathUipath/Vertical-Solutions-Toolapplication
UipathUipath/Vssapplication
UipathUipath/Widget.Sdkapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

34 SOURCESView more in app
scworldNews
May 29, 2026
CISA adds Daemon Tools, TanStack, and Nx Console compromised versions to KEV catalog | brief | SC Media

A supply chain attack affecting TanStack npm packages where attackers abused GitHub Actions to publish numerous malicious package versions containing credential-stealing malware.

Read more
security affairsNews
May 28, 2026
U.S. CISA adds Daemon Tools, TanStack, and Nx Console flaws to its Known Exploited Vulnerabilities catalog

A supply chain attack on 42 @tanstack npm packages in which attackers abused GitHub Actions, cache poisoning, pull_request_target misconfiguration, and OIDC token theft to publish malicious package versions containing credential-stealing malware.

Read more
cyberthroneNews
May 28, 2026
CISA adds Three Vulnerabilities to KEV Catalog - TheCyberThrone

A software supply chain compromise in TanStack npm packages caused by chained exploitation of weaknesses in GitHub Actions CI/CD workflows, enabling cache poisoning, OIDC token theft, and malicious package publication.

Read more
sans iscNews
May 25, 2026
TeamPCP Supply Chain Campaign: Activity Through 2026-05-24

A tracked vulnerability/abuse chain involving TanStack OIDC credentials that enabled credential harvesting and was subsequently used to publish trojanized software in the TeamPCP/Shai-Hulud supply-chain campaign.

Read more
+6 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence8

Every observed campaign linking this CVE to a named adversary.

Associated malware13

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity20

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-45321
NVD
nvd.nist.gov/vuln/detail/CVE-2026-45321
MITRE CWE · CWE-829
cwe.mitre.org
Vendor Advisory
github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Vendor Advisory
tanstack.com/blog/npm-supply-chain-compromise-postmortem
Third Party Advisory
stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
Issue Tracking
github.com/TanStack/router/issues/7383
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321