Embedded malicious code in TanStack products - CVE-2026-45321

Vulnerability identifier: #VU132780

CSH Severity: Critical

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red

CVE-ID: CVE-2026-45321

CWE-ID: CWE-506

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: TanStack

Affected software:
arktype-adapter
eslint-plugin-router
eslint-plugin-start
history
nitro-v2-vite-plugin
react-router
react-router-devtools
react-router-ssr-query
react-start
react-start-client
react-start-rsc
react-start-server
router-cli
router-core
router-devtools
router-devtools-core
router-generator
router-plugin
router-ssr-query-core
router-utils
router-vite-plugin
solid-router
solid-router-devtools
solid-router-ssr-query
solid-start
solid-start-client
solid-start-server
start-client-core
start-fn-stubs
start-plugin-core
start-server-core
start-static-server-functions
start-storage-context
valibot-adapter
virtual-file-routes
vue-router
vue-router-devtools
vue-router-ssr-query
vue-start
vue-start-client
vue-start-server
zod-adapter

The vulnerability allows a remote attacker to disclose sensitive information and execute malicious code in the install environment.

The vulnerability exists due to presence of malicious code in compromised applications in the vendor's repository. The incident occurred on May 11, 2026 between approximately 19:20 and 19:26 UTC. Attackers have published 84 malicious versions across 42 @tanstack/* packages to the npm registry.

The malicious payload runs during npm, pnpm, or yarn installation, harvests cloud credentials, GitHub tokens, npm tokens, Kubernetes service-account tokens, Vault tokens, and SSH private keys, and exfiltrates the collected data over the Session/Oxen file-upload network.

Install security update from vendor's website.

• https://github.com/advisories/GHSA-g7cv-rxg3-hmpx
• https://github.com/TanStack/router/issues/7383