SB2026052945 - Embedded malicious code in 42 Tanstack packages

Description

This security bulletin contains information about 1 vulnerability.

1) Embedded malicious code (CVE-ID: CVE-2026-45321)

CWE-ID: CWE-506 - Embedded Malicious Code

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

The vulnerability allows a remote attacker to disclose sensitive information and execute malicious code in the install environment.

The vulnerability exists due to presence of malicious code in compromised applications in the vendor's repository. The incident occurred on May 11, 2026 between approximately 19:20 and 19:26 UTC. Attackers have published 84 malicious versions across 42 @tanstack/* packages to the npm registry.

The malicious payload runs during npm, pnpm, or yarn installation, harvests cloud credentials, GitHub tokens, npm tokens, Kubernetes service-account tokens, Vault tokens, and SSH private keys, and exfiltrates the collected data over the Session/Oxen file-upload network.

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-g7cv-rxg3-hmpx
• https://github.com/TanStack/router/issues/7383