CVE-2026-45321
Analyzed Analyzed - Analysis Complete
Malicious Versions Published in TanStack Packages via OIDC Token Theft

Publication date: 2026-05-12

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes β€” a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process β€” to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-29
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-45321
EUVD
EUVD-2026-29352
Affected Vendors & Products
Showing 259 associated CPEs
Vendor Product Version / Range
mistral mistralai 2.4.6
mistral mistralai/mistralai 2.2.3
mistral mistralai/mistralai 2.2.4
mistral mistralai/mistralai-azure 1.7.2
mistral mistralai/mistralai-azure 1.7.3
mistral mistralai/mistralai-gcp 1.7.2
mistral mistralai/mistralai-gcp 1.7.3
antoinebcx ml-toolkit-ts 1.0.4
antoinebcx ml-toolkit-ts 1.0.5
antoinebcx ml-toolkit-ts/preprocessing 1.0.2
antoinebcx ml-toolkit-ts/preprocessing 1.0.3
antoinebcx ml-toolkit-ts/xgboost 1.0.3
antoinebcx ml-toolkit-ts/xgboost 1.0.4
beproduct beproduct/nestjs-auth 0.1.10
beproduct beproduct/nestjs-auth 0.1.11
beproduct beproduct/nestjs-auth 0.1.12
beproduct beproduct/nestjs-auth 0.1.13
beproduct beproduct/nestjs-auth 0.1.14
beproduct beproduct/nestjs-auth 0.1.15
beproduct beproduct/nestjs-auth 0.1.16
beproduct beproduct/nestjs-auth 0.1.17
beproduct beproduct/nestjs-auth 0.1.19
beproduct beproduct/nestjs-auth 0.1.2
beproduct beproduct/nestjs-auth 0.1.3
beproduct beproduct/nestjs-auth 0.1.4
beproduct beproduct/nestjs-auth 0.1.5
beproduct beproduct/nestjs-auth 0.1.6
beproduct beproduct/nestjs-auth 0.1.7
beproduct beproduct/nestjs-auth 0.1.8
beproduct beproduct/nestjs-auth 0.1.9
christianalares git-git-git 1.0.10
christianalares git-git-git 1.0.12
christianalares git-git-git 1.0.8
christianalares git-git-git 1.0.9
christianalares git_branch_selector 1.3.3
christianalares git_branch_selector 1.3.4
christianalares git_branch_selector 1.3.5
christianalares git_branch_selector 1.3.7
christianalares nextmove-mcp 0.1.3
christianalares nextmove-mcp 0.1.4
christianalares nextmove-mcp 0.1.5
christianalares nextmove-mcp 0.1.7
christianalares tolka/cli 1.0.2
christianalares tolka/cli 1.0.3
christianalares tolka/cli 1.0.4
christianalares tolka/cli 1.0.6
multiagentcognition cmux-agent-mcp 0.1.3
multiagentcognition cmux-agent-mcp 0.1.4
multiagentcognition cmux-agent-mcp 0.1.5
multiagentcognition cmux-agent-mcp 0.1.6
multiagentcognition cmux-agent-mcp 0.1.7
multiagentcognition cmux-agent-mcp 0.1.8
abhishake1 supersurkhet/cli 0.0.2
abhishake1 supersurkhet/cli 0.0.3
abhishake1 supersurkhet/cli 0.0.4
abhishake1 supersurkhet/cli 0.0.5
abhishake1 supersurkhet/cli 0.0.6
abhishake1 supersurkhet/cli 0.0.7
abhishake1 supersurkhet/sdk 0.0.2
abhishake1 supersurkhet/sdk 0.0.3
abhishake1 supersurkhet/sdk 0.0.4
abhishake1 supersurkhet/sdk 0.0.5
abhishake1 supersurkhet/sdk 0.0.6
abhishake1 supersurkhet/sdk 0.0.7
abhishake1 taskflow-corp/cli 0.1.24
abhishake1 taskflow-corp/cli 0.1.25
abhishake1 taskflow-corp/cli 0.1.26
abhishake1 taskflow-corp/cli 0.1.27
abhishake1 taskflow-corp/cli 0.1.28
abhishake1 taskflow-corp/cli 0.1.29
kilbot tallyui/components 1.0.1
kilbot tallyui/components 1.0.2
kilbot tallyui/components 1.0.3
kilbot tallyui/connector-medusa 1.0.1
kilbot tallyui/connector-medusa 1.0.2
kilbot tallyui/connector-medusa 1.0.3
kilbot tallyui/connector-shopify 1.0.1
kilbot tallyui/connector-shopify 1.0.2
kilbot tallyui/connector-shopify 1.0.3
kilbot tallyui/connector-vendure 1.0.1
kilbot tallyui/connector-vendure 1.0.2
kilbot tallyui/connector-vendure 1.0.3
kilbot tallyui/connector-woocommerce 1.0.1
kilbot tallyui/connector-woocommerce 1.0.2
kilbot tallyui/connector-woocommerce 1.0.3
kilbot tallyui/core 0.2.1
kilbot tallyui/core 0.2.2
kilbot tallyui/core 0.2.3
kilbot tallyui/database 1.0.1
kilbot tallyui/database 1.0.2
kilbot tallyui/database 1.0.3
kilbot tallyui/pos 0.1.1
kilbot tallyui/pos 0.1.2
kilbot tallyui/pos 0.1.3
kilbot tallyui/storage-sqlite 0.2.1
kilbot tallyui/storage-sqlite 0.2.2
kilbot tallyui/storage-sqlite 0.2.3
kilbot tallyui/theme 0.2.1
kilbot tallyui/theme 0.2.2
kilbot tallyui/theme 0.2.3
matheuspergoli draftauth/client 0.2.1
matheuspergoli draftauth/client 0.2.2
matheuspergoli draftauth/core 0.13.1
matheuspergoli draftauth/core 0.13.2
matheuspergoli draftlab/auth 0.24.1
matheuspergoli draftlab/auth 0.24.2
matheuspergoli draftlab/auth-router 0.5.1
matheuspergoli draftlab/auth-router 0.5.2
matheuspergoli draftlab/db 0.16.1
matheuspergoli draftlab/db 0.16.2
matheuspergoli simple_type-safe_actions 0.8.3
matheuspergoli simple_type-safe_actions 0.8.4
neilcochran cross-stitch 1.1.3
neilcochran cross-stitch 1.1.4
neilcochran cross-stitch 1.1.6
neilcochran squawk/airports 0.6.2
neilcochran squawk/airports 0.6.3
neilcochran squawk/airports 0.6.5
neilcochran squawk/airspace 0.8.1
neilcochran squawk/airspace 0.8.2
neilcochran squawk/airspace 0.8.4
neilcochran squawk/airspace-data 0.5.3
neilcochran squawk/airspace-data 0.5.4
neilcochran squawk/airspace-data 0.5.6
neilcochran squawk/airway-data 0.5.4
neilcochran squawk/airway-data 0.5.5
neilcochran squawk/airway-data 0.5.7
neilcochran squawk/airways 0.4.2
neilcochran squawk/airways 0.4.3
neilcochran squawk/airways 0.4.5
neilcochran squawk/fix-data 0.6.4
neilcochran squawk/fix-data 0.6.5
neilcochran squawk/fix-data 0.6.7
neilcochran squawk/fixes 0.3.2
neilcochran squawk/fixes 0.3.3
neilcochran squawk/fixes 0.3.5
neilcochran squawk/flight-math 0.5.4
neilcochran squawk/flight-math 0.5.5
neilcochran squawk/flight-math 0.5.7
neilcochran squawk/flightplan 0.5.2
neilcochran squawk/flightplan 0.5.3
neilcochran squawk/flightplan 0.5.5
neilcochran squawk/geo 0.4.4
neilcochran squawk/geo 0.4.5
neilcochran squawk/geo 0.4.7
neilcochran squawk/icao-registry 0.5.2
neilcochran squawk/icao-registry 0.5.3
neilcochran squawk/icao-registry 0.5.5
neilcochran squawk/icao-registry-data 0.8.4
neilcochran squawk/icao-registry-data 0.8.5
neilcochran squawk/icao-registry-data 0.8.7
neilcochran squawk/mcp 0.9.1
neilcochran squawk/mcp 0.9.2
neilcochran squawk/mcp 0.9.4
neilcochran squawk/navaid-data 0.6.4
neilcochran squawk/navaid-data 0.6.5
neilcochran squawk/navaid-data 0.6.7
neilcochran squawk/navaids 0.4.2
neilcochran squawk/navaids 0.4.3
neilcochran squawk/navaids 0.4.5
neilcochran squawk/notams 0.3.6
neilcochran squawk/notams 0.3.7
neilcochran squawk/notams 0.3.9
neilcochran squawk/procedure-data 0.7.3
neilcochran squawk/procedure-data 0.7.4
neilcochran squawk/procedure-data 0.7.6
neilcochran squawk/procedures 0.5.2
neilcochran squawk/procedures 0.5.3
neilcochran squawk/procedures 0.5.5
neilcochran squawk/types 0.8.1
neilcochran squawk/types 0.8.2
neilcochran squawk/types 0.8.4
neilcochran squawk/units 0.4.3
neilcochran squawk/units 0.4.4
neilcochran squawk/units 0.4.6
neilcochran squawk/weather 0.5.6
neilcochran squawk/weather 0.5.7
neilcochran squawk/weather 0.5.9
neilcochran ts-dna 3.0.1
neilcochran ts-dna 3.0.2
neilcochran ts-dna 3.0.4
neilcochran wot-api 0.8.1
neilcochran wot-api 0.8.2
neilcochran wot-api 0.8.4
agentworkhq agentwork-cli 0.1.4
agentworkhq agentwork-cli 0.1.5
dirigible dirigible-ai/sdk 0.6.2
dirigible dirigible-ai/sdk 0.6.3
guardrailsai guardrails_ai 0.10.1
linuxfoundation opensearch 3.6.2
mesa mesadev/rest 0.28.3
mesa mesadev/saguaro 0.4.22
mesa mesadev/sdk 0.28.3
uipath uipath/access-policy-sdk 0.3.1
uipath uipath/access-policy-tool 0.3.1
uipath uipath/admin-tool 0.1.1
uipath uipath/agent-sdk 1.0.2
uipath uipath/agent-tool 1.0.1
uipath uipath/agent.sdk 0.0.18
uipath uipath/aops-policy-tool 0.3.1
uipath uipath/ap-chat 1.5.7
uipath uipath/api-workflow-tool 1.0.1
uipath uipath/apollo-core 5.9.2
uipath uipath/apollo-react 4.24.5
uipath uipath/apollo-wind 2.16.2
uipath uipath/auth 1.0.1
uipath uipath/case-tool 1.0.1
uipath uipath/cli 1.0.1
uipath uipath/codedagent-tool 1.0.1
uipath uipath/codedagents-tool 0.1.12
uipath uipath/codedapp-tool 1.0.1
uipath uipath/common 1.0.1
uipath uipath/context-grounding-tool 0.1.1
uipath uipath/data-fabric-tool 1.0.2
uipath uipath/docsai-tool 1.0.1
uipath uipath/filesystem 1.0.1
uipath uipath/flow-tool 1.0.2
uipath uipath/functions-tool 1.0.1
uipath uipath/gov-tool 0.3.1
uipath uipath/identity-tool 0.1.1
uipath uipath/insights-sdk 1.0.1
uipath uipath/insights-tool 1.0.1
uipath uipath/integrationservice-sdk 1.0.2
uipath uipath/integrationservice-tool 1.0.2
uipath uipath/llmgw-tool 1.0.1
uipath uipath/maestro-sdk 1.0.1
uipath uipath/maestro-tool 1.0.1
uipath uipath/orchestrator-tool 1.0.1
uipath uipath/packager-tool-apiworkflow 0.0.19
uipath uipath/packager-tool-bpmn 0.0.9
uipath uipath/packager-tool-case 0.0.9
uipath uipath/packager-tool-connector 0.0.19
uipath uipath/packager-tool-flow 0.0.19
uipath uipath/packager-tool-functions 0.1.1
uipath uipath/packager-tool-webapp 1.0.6
uipath uipath/packager-tool-workflowcompiler 0.0.16
uipath uipath/packager-tool-workflowcompiler-browser 0.0.34
uipath uipath/platform-tool 1.0.1
uipath uipath/project-packager 1.1.16
uipath uipath/resource-tool 1.0.1
uipath uipath/resourcecatalog-tool 0.1.1
uipath uipath/resources-tool 0.1.11
uipath uipath/robot 1.3.4
uipath uipath/rpa-legacy-tool 1.0.1
uipath uipath/rpa-tool 0.9.5
uipath uipath/solution-packager 0.0.35
uipath uipath/solution-tool 1.0.1
uipath uipath/solutionpackager-sdk 1.0.11
uipath uipath/solutionpackager-tool-core 0.0.34
uipath uipath/tasks-tool 1.0.1
uipath uipath/telemetry 0.0.7
uipath uipath/test-manager-tool 1.0.2
uipath uipath/tool-workflowcompiler 0.0.12
uipath uipath/traces-tool 1.0.1
uipath uipath/ui-widgets-multi-file-upload 1.0.1
uipath uipath/uipath-python-bridge 1.0.1
uipath uipath/vertical-solutions-tool 1.0.1
uipath uipath/vss 0.1.6
uipath uipath/widget.sdk 1.2.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-506 The product contains code that appears to be malicious in nature.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45321 is a critical security incident where 42 malicious versions across multiple @tanstack/* npm packages were published on May 11, 2026, within a short time frame.

The attacker exploited a chain of three known vulnerabilities: a GitHub Actions "Pwn Request" misconfiguration, cache poisoning across fork and base repository trust boundaries, and runtime memory extraction of OIDC tokens from the Actions runner process.

Using these exploits, the attacker published credential-stealing malware under a trusted identity without modifying the publish workflow itself.

The malicious packages exfiltrate sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens to a Session/Oxen messenger network.

The attack uses an undeclared payload file named router_init.js, which executes during installation but leaves no trace in node_modules due to a deliberate failure in optional dependency installation.

Impact Analysis

This vulnerability can have severe impacts including the theft of sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens.

Compromised credentials can lead to unauthorized access to cloud resources, code repositories, and package publishing capabilities.

Users who installed the affected malicious versions risk having their credentials exfiltrated and should immediately rotate all accessible credentials and review cloud audit logs.

The CVSS score of 9.6 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Detection Guidance

Detection involves inspecting package manifests for a specific optionalDependencies entry and checking for the presence of the malicious payload file named router_init.js.

The malicious payload file router_init.js is executed during installation but leaves no trace in node_modules due to a deliberate failure in the optional dependency installation process.

Users should look for the optionalDependencies entry in package.json files of @tanstack/* packages and verify if router_init.js exists or was executed.

  • Check package.json files for unexpected optionalDependencies entries related to the malicious versions.
  • Search your project directories for the presence of router_init.js using commands like: find . -name router_init.js
  • Review installation logs or scripts for execution of router_init.js or related lifecycle scripts.
Mitigation Strategies

Immediate mitigation steps include updating to patched versions of the affected @tanstack/* packages or pinning dependencies to pre-incident versions.

Alternatively, temporarily disabling lifecycle scripts can help prevent execution of malicious payloads during installation.

Users who installed the malicious versions should immediately rotate all accessible credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens.

It is also recommended to review cloud audit logs for any suspicious activity.

Compliance Impact

The vulnerability involves the exfiltration of sensitive credentials such as cloud provider tokens, GitHub tokens, SSH keys, and npm tokens through malicious packages. This unauthorized access and potential misuse of sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.

Organizations affected by this vulnerability should immediately rotate all accessible credentials and review cloud audit logs to mitigate risks of data breaches and unauthorized access, which are critical for maintaining compliance with these standards.

Failure to address such a compromise promptly could result in non-compliance with regulatory requirements related to data security, breach notification, and risk management.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45321. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart