TanStack npm packages leak credentials (CVE-2026-45321) [PoC]

Actively exploited in the wild - CVE-2026-45321 is a critical supply-chain attack against 42 @tanstack/* npm packages that allowed attackers to publish credential-stealing malware under a trusted OIDC identity. Rotate any secrets or tokens exposed to the malicious package versions (2 per package, published May 11, 2026 between 19:20-19:26 UTC).

Overview

CVE-2026-45321 describes a chain attack that compromised the TanStack/npm publishing pipeline. Between 19:20 and 19:26 UTC on May 11, 2026, an attacker used three known vulnerability classes to publish 84 malicious package versions across 42 @tanstack/* npm repositories. Each affected package received exactly two malicious versions, published minutes apart.

The attacker chained:

1. A pull_request_target “Pwn Request” misconfiguration in the GitHub Actions workflow
2. GitHub Actions cache poisoning, crossing the fork-to-base trust boundary
3. Runtime memory extraction of the OIDC token from the GitHub Actions runner process

This allowed authentication via the legitimate Trusted Publisher binding for TanStack/router, without modifying the publish workflow itself. The attacker published credential-stealing malware directly to npm under a trusted identity.

Impact

Systems that installed any of the 84 malicious @tanstack/* package versions between May 11 and detection are compromised. The malware extracts credentials from the host environment - including cloud provider tokens, API keys, and CI/CD secrets - and exfiltrates them to the attacker’s infrastructure. Any workstation, build server, or production host that ran npm install on these versions should be treated as fully compromised.

CVSS 9.6 (CRITICAL) with an Attack Vector of NETWORK, Attack Complexity of LOW, and no privileges required. User interaction (installing the package) is required.

Remediation and Mitigation

1. Immediately rotate all secrets exposed on any host that installed the malicious packages. This includes cloud provider access keys, GitHub tokens, npm tokens, database credentials, and TLS private keys.
2. Audit npm install logs for any @tanstack/* package version installed between 19:20 and 19:26 UTC on May 11, 2026. The two malicious versions per package are identifiable by their timestamps.
3. Rebuild all systems that ran affected package versions from a clean base, as the malware may have established persistence mechanisms.
4. Pin all @tanstack/ dependencies* to known-good versions and enable npm audit signatures.

CISA KEV inclusion confirms active exploitation - treat this as a zero-trust boundary event.

Security Insight

This attack demonstrates that OIDC-based tokenless authentication alone does not prevent supply-chain compromise; the trust chain is only as strong as the CI/CD pipeline’s weakest authorization check. The pull_request_target misconfiguration is a recurring vulnerability class - a similar technique was used in the GlassWorm attack. Organizations should audit all GitHub Actions workflows for pull_request_target triggers and treat any CI/CD pipeline that can publish artifacts as a critical security boundary requiring strict workflow review and secret-scope isolation.

Further Reading

• GlassWorm Attack Uses Stolen GitHub Tokens to
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs