CRITICAL🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2026-45321

CVSS 9.6v3.1pub. 2026-05-12upd. 2026-05-29

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Antoinebcx Ml Toolkit Ts

    APP
    Antoinebcx
    1.0.41.0.5
  • Antoinebcx Ml Toolkit Ts\/preprocessing

    APP
    Antoinebcx
    1.0.21.0.3
  • Antoinebcx Ml Toolkit Ts\/xgboost

    APP
    Antoinebcx
    1.0.31.0.4
  • Beproduct Beproduct\/nestjs Auth

    APP
    Beproduct
    0.1.20.1.30.1.4
  • Mistral Mistralai

    APP
    Mistral
    2.4.6
  • Mistral Mistralai\/mistralai

    APP
    Mistral
    2.2.32.2.4
  • Mistral Mistralai\/mistralai Azure

    APP
    Mistral
    1.7.21.7.3
  • Mistral Mistralai\/mistralai Gcp

    APP
    Mistral
    1.7.21.7.3
  • Tanstack Tanstack\/arktype Adapter

    APP
    Tanstack
    1.166.121.166.15
  • Tanstack Tanstack\/eslint Plugin Router

    APP
    Tanstack
    1.161.121.161.9
  • Tanstack Tanstack\/eslint Plugin Start

    APP
    Tanstack
    0.0.40.0.7
  • Tanstack Tanstack\/history

    APP
    Tanstack
    1.161.121.161.9
  • Tanstack Tanstack\/nitro V2 Vite Plugin

    APP
    Tanstack
    1.154.121.154.15
  • Tanstack Tanstack\/react Router

    APP
    Tanstack
    1.169.51.169.8
  • Tanstack Tanstack\/react Router Devtools

    APP
    Tanstack
    1.166.161.166.19
  • Tanstack Tanstack\/react Router Ssr Query

    APP
    Tanstack
    1.166.151.166.18
  • Tanstack Tanstack\/react Start

    APP
    Tanstack
    1.167.681.167.71
  • Tanstack Tanstack\/react Start Client

    APP
    Tanstack
    1.166.511.166.54
  • Tanstack Tanstack\/react Start Rsc

    APP
    Tanstack
    0.0.470.0.50
  • Tanstack Tanstack\/react Start Server

    APP
    Tanstack
    1.166.551.166.58
  • Tanstack Tanstack\/router Cli

    APP
    Tanstack
    1.166.461.166.49
  • Tanstack Tanstack\/router Core

    APP
    Tanstack
    1.169.51.169.8
  • Tanstack Tanstack\/router Devtools

    APP
    Tanstack
    1.166.161.166.19
  • Tanstack Tanstack\/router Devtools Core

    APP
    Tanstack
    1.167.61.167.9
  • Tanstack Tanstack\/router Generator

    APP
    Tanstack
    1.166.451.166.48
  • Tanstack Tanstack\/router Plugin

    APP
    Tanstack
    1.167.381.167.41
  • Tanstack Tanstack\/router Ssr Query Core

    APP
    Tanstack
    1.168.31.168.6
  • Tanstack Tanstack\/router Utils

    APP
    Tanstack
    1.161.111.161.14
  • Tanstack Tanstack\/router Vite Plugin

    APP
    Tanstack
    1.166.531.166.56
  • Tanstack Tanstack\/solid Router

    APP
    Tanstack
    1.169.51.169.8

CISA KEV — detailsi

Vendori
TanStack
Producti
TanStack
Added to KEVi
May 27, 2026
Remediation deadline (US Federal)i
June 10, 2026(overdue)
Ransomwarei
Active ransomware campaigns exploit this vulnerability
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
☠️WYKORZYSTYWANE W RANSOMWARECISA DEADLINE: 10 czerwca 2026
Tags
CI/CD
CWE
References

Related vulnerabilities

CVE-2024-24558HIGH8.2ten sam vendor

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. ...