CVE-2026-45321: Tanstack arktype-adapter Auth Bypass Flaw

CVE-2026-45321 Overview

CVE-2026-45321 documents a coordinated supply chain compromise of the TanStack npm organization. On 2026-05-11, between approximately 19:20 and 19:26 UTC, attackers published 84 malicious versions across 42 @tanstack/* packages. Each affected package received exactly two malicious versions, published a few minutes apart. The publishes were authenticated through the legitimate GitHub Actions OpenID Connect (OIDC) trusted-publisher binding for TanStack/router, so the artifacts carried a trusted identity despite originating from attacker-controlled code paths. The published payloads contained credential-stealing malware [CWE-506].

Critical Impact

Malicious versions of widely used @tanstack/* packages were signed under TanStack's legitimate npm trusted-publisher identity, allowing credential theft to propagate through downstream build pipelines and developer workstations.

Affected Products

• @tanstack/react-router, @tanstack/router-core, @tanstack/router-cli, @tanstack/router-plugin, @tanstack/router-vite-plugin, @tanstack/router-devtools, @tanstack/router-generator, @tanstack/router-utils
• @tanstack/react-start, @tanstack/solid-start, @tanstack/vue-start and their *-client, *-server, start-plugin-core, start-server-core, start-client-core variants
• @tanstack/solid-router, @tanstack/vue-router, related *-devtools and *-ssr-query packages, plus adapters @tanstack/zod-adapter, @tanstack/valibot-adapter, @tanstack/arktype-adapter

Discovery Timeline

• 2026-05-11 - 84 malicious versions published to npm between 19:20 and 19:26 UTC
• 2026-05-12 - CVE-2026-45321 published to NVD
• 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-45321

Vulnerability Analysis

The attacker chained three known vulnerability classes to publish credential-stealing malware under a trusted identity. The publish workflow itself was not modified. Instead, the attacker abused trust boundaries surrounding GitHub Actions and the npm trusted-publisher OIDC binding configured for the TanStack/router repository.

First, a pull_request_target "Pwn Request" misconfiguration allowed attacker-controlled code from a fork pull request to execute in a workflow context that held access to repository secrets and elevated permissions. Second, GitHub Actions cache poisoning was used across the fork↔base trust boundary, letting attacker-controlled artifacts be retrieved by privileged jobs running on behalf of the base repository. Third, runtime memory extraction of the OIDC token was performed from the Actions runner process, capturing the short-lived token used to authenticate to npm. Because npm's trusted-publisher feature accepts that OIDC token as proof of identity, the attacker could publish under the TanStack organization without possessing any long-lived publishing credential.

Root Cause

The root cause is the combination of an overly permissive pull_request_target trigger, a shared cache between untrusted (fork) and trusted (base) execution contexts, and the absence of in-process protections preventing extraction of the OIDC token from the runner. Any single control failure would have been bounded; chained together, they collapsed the boundary between an unprivileged pull request and the publishing identity.

Attack Vector

The attack requires no privileges on the target repository and is delivered over the network through a fork pull request. The attacker submits a crafted contribution that influences pull_request_target execution and poisons the Actions cache. A subsequent privileged workflow on the base branch consumes the poisoned cache, at which point in-memory inspection of the runner recovers the OIDC token. The token is then used directly against the npm registry's trusted-publisher endpoint to push malicious versions of every package configured under the binding.

No synthetic exploit code is reproduced here. Refer to the GitHub Security Advisory GHSA-g7cv-rxg3-hmpx and the TanStack postmortem for the authoritative technical narrative.

Detection Methods for CVE-2026-45321

Indicators of Compromise

• Installation of any @tanstack/* version listed in the affected CPE set, including @tanstack/react-router1.169.5 and 1.169.8, @tanstack/router-core1.169.5 and 1.169.8, and @tanstack/start-plugin-core1.169.23 and 1.169.26.
• npm install or node child processes spawning outbound connections to non-registry hosts shortly after dependency resolution.
• Lockfile entries (package-lock.json, pnpm-lock.yaml, yarn.lock) updated on or after 2026-05-11 19:20 UTC that pin to the malicious versions enumerated in the advisory.

Detection Strategies

• Run software composition analysis (SCA) against all repositories and build artifacts, alerting on the specific malicious version strings published between 19:20 and 19:26 UTC on 2026-05-11.
• Monitor CI runners and developer endpoints for postinstall script execution that reads environment variables, ~/.npmrc, ~/.aws/credentials, browser storage, or shell history.
• Audit GitHub Actions workflows for pull_request_target usage combined with checkout of github.event.pull_request.head.sha, and flag cache restores that cross fork↔base boundaries.

Monitoring Recommendations

• Capture and retain process, file, and network telemetry from developer workstations and CI runners that resolved @tanstack/* dependencies on or after 2026-05-11.
• Centralize npm audit logs and trusted-publisher activity for high-impact organizations, alerting on unexpected publish events outside maintainer working hours.
• Track outbound traffic from build infrastructure to credential-staging domains and any newly registered domains observed in npm postinstall scripts.

How to Mitigate CVE-2026-45321

Immediate Actions Required

• Pin @tanstack/* dependencies to versions published before 2026-05-11 19:20 UTC or to fixed versions identified in the TanStack advisory, then rebuild and redeploy.
• Rotate all secrets that were present on developer workstations or in CI environments that resolved a malicious version, including npm tokens, cloud provider keys, and Git credentials.
• Invalidate and rebuild any container images, Lambda packages, or static bundles produced from compromised builds.

Patch Information

TanStack republished clean versions of every affected package and revoked the malicious releases. Consult the GitHub Security Advisory GHSA-g7cv-rxg3-hmpx and the TanStack postmortem for the authoritative list of fixed versions and remediation steps. Additional context on the broader campaign is documented in the Step Security analysis and GitHub Issue #7383.

Workarounds

• Disable pull_request_target in workflows that check out untrusted code, or split workflows so privileged steps never execute fork-controlled content.
• Scope GitHub Actions cache keys to exclude untrusted inputs and forbid cache restoration across the fork↔base trust boundary.
• Require manual approval for first-time contributor workflow runs and constrain GITHUB_TOKEN permissions to read by default.
• Where supported, use --ignore-scripts during dependency installation in CI to suppress postinstall execution from untrusted packages.