CVE-2026-45321
Malicious Versions Published in TanStack Packages via OIDC Token Theft
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tanstack | router | * |
| tanstack | setup | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45321 is a critical security incident where 42 malicious versions across multiple @tanstack/* npm packages were published on May 11, 2026, within a short time frame.
The attacker exploited a chain of three known vulnerabilities: a GitHub Actions "Pwn Request" misconfiguration, cache poisoning across fork and base repository trust boundaries, and runtime memory extraction of OIDC tokens from the Actions runner process.
Using these exploits, the attacker published credential-stealing malware under a trusted identity without modifying the publish workflow itself.
The malicious packages exfiltrate sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens to a Session/Oxen messenger network.
The attack uses an undeclared payload file named router_init.js, which executes during installation but leaves no trace in node_modules due to a deliberate failure in optional dependency installation.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including the theft of sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens.
Compromised credentials can lead to unauthorized access to cloud resources, code repositories, and package publishing capabilities.
Users who installed the affected malicious versions risk having their credentials exfiltrated and should immediately rotate all accessible credentials and review cloud audit logs.
The CVSS score of 9.6 indicates a critical severity with high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves inspecting package manifests for a specific optionalDependencies entry and checking for the presence of the malicious payload file named router_init.js.
The malicious payload file router_init.js is executed during installation but leaves no trace in node_modules due to a deliberate failure in the optional dependency installation process.
Users should look for the optionalDependencies entry in package.json files of @tanstack/* packages and verify if router_init.js exists or was executed.
- Check package.json files for unexpected optionalDependencies entries related to the malicious versions.
- Search your project directories for the presence of router_init.js using commands like: find . -name router_init.js
- Review installation logs or scripts for execution of router_init.js or related lifecycle scripts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating to patched versions of the affected @tanstack/* packages or pinning dependencies to pre-incident versions.
Alternatively, temporarily disabling lifecycle scripts can help prevent execution of malicious payloads during installation.
Users who installed the malicious versions should immediately rotate all accessible credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens.
It is also recommended to review cloud audit logs for any suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves the exfiltration of sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens through malicious packages. This unauthorized access and potential misuse of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.
Organizations affected by this vulnerability should immediately rotate all accessible credentials and review cloud audit logs to mitigate risks of data breaches and unauthorized access, which are critical for maintaining compliance with these standards.
Failure to address such a compromise promptly could result in non-compliance with regulatory requirements related to data security, breach notification, and risk management.