CVE-2026-45321
KEVAtak na pakiety @tanstack/* w npm umożliwia publikację złośliwego oprogramowania pod zaufaną tożsamością.
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.6 |
| CISA KEV (aktywnie wykorzystywane) | Tak |
| FIRST EPSS (prawdopodobieństwo exploita) | 17.1% |
| Opublikowano (NVD) | 2026-05-12 01:16:46 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-29 19:41:37 UTC |
- https://github.com/TanStack/router/issues/7383 (security-advisories@github.com) [Issue Tracking]
- https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx (security-advisories@github.com) [Mitigation, Vendor Advisory]
- https://tanstack.com/blog/npm-supply-chain-compromise-postmortem (security-advisories@github.com) [Exploit, Vendor Advisory]
- https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem (security-advisories@github.com) [Exploit, Third Party Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321 (134c704f-9b21-4f2e-91b3-4a467353bcc0) [US Government Resource]