Stateward All advisories →
critical
exploited in the wild
CVE-2026-45321
npm · @tanstack/arktype-adapter • npm · @tanstack/eslint-plugin-router • npm · @tanstack/eslint-plugin-start • npm · @tanstack/history • npm · @tanstack/nitro-v2-vite-plugin • npm · @tanstack/react-router • npm · @tanstack/react-router-devtools • npm · @tanstack/react-router-ssr-query • npm · @tanstack/react-start • npm · @tanstack/react-start-client • npm · @tanstack/react-start-rsc • npm · @tanstack/react-start-server • npm · @tanstack/router-cli • npm · @tanstack/router-core • npm · @tanstack/router-devtools • npm · @tanstack/router-devtools-core • npm · @tanstack/router-generator • npm · @tanstack/router-plugin • npm · @tanstack/router-ssr-query-core • npm · @tanstack/router-utils • npm · @tanstack/router-vite-plugin • npm · @tanstack/solid-router • npm · @tanstack/solid-router-devtools • npm · @tanstack/solid-router-ssr-query • npm · @tanstack/solid-start • npm · @tanstack/solid-start-client • npm · @tanstack/solid-start-server • npm · @tanstack/start-client-core • npm · @tanstack/start-fn-stubs • npm · @tanstack/start-plugin-core • npm · @tanstack/start-server-core • npm · @tanstack/start-static-server-functions • npm · @tanstack/start-storage-context • npm · @tanstack/valibot-adapter • npm · @tanstack/virtual-file-routes • npm · @tanstack/vue-router • npm · @tanstack/vue-router-devtools • npm · @tanstack/vue-router-ssr-query • npm · @tanstack/vue-start • npm · @tanstack/vue-start-client • npm · @tanstack/vue-start-server • npm · @tanstack/zod-adapter
Summary Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Severity critical EPSS 1.6% (p73) Also known as GHSA-g7cv-rxg3-hmpx#@tanstack/arktype-adapter, GHSA-g7cv-rxg3-hmpx#@tanstack/eslint-plugin-router, GHSA-g7cv-rxg3-hmpx#@tanstack/eslint-plugin-start, GHSA-g7cv-rxg3-hmpx#@tanstack/history, GHSA-g7cv-rxg3-hmpx#@tanstack/nitro-v2-vite-plugin, GHSA-g7cv-rxg3-hmpx#@tanstack/react-router, GHSA-g7cv-rxg3-hmpx#@tanstack/react-router-devtools, GHSA-g7cv-rxg3-hmpx#@tanstack/react-router-ssr-query, GHSA-g7cv-rxg3-hmpx#@tanstack/react-start, GHSA-g7cv-rxg3-hmpx#@tanstack/react-start-client, GHSA-g7cv-rxg3-hmpx#@tanstack/react-start-rsc, GHSA-g7cv-rxg3-hmpx#@tanstack/react-start-server, GHSA-g7cv-rxg3-hmpx#@tanstack/router-cli, GHSA-g7cv-rxg3-hmpx#@tanstack/router-core, GHSA-g7cv-rxg3-hmpx#@tanstack/router-devtools, GHSA-g7cv-rxg3-hmpx#@tanstack/router-devtools-core, GHSA-g7cv-rxg3-hmpx#@tanstack/router-generator, GHSA-g7cv-rxg3-hmpx#@tanstack/router-plugin, GHSA-g7cv-rxg3-hmpx#@tanstack/router-ssr-query-core, GHSA-g7cv-rxg3-hmpx#@tanstack/router-utils, GHSA-g7cv-rxg3-hmpx#@tanstack/router-vite-plugin, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-router, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-router-devtools, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-router-ssr-query, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-start, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-start-client, GHSA-g7cv-rxg3-hmpx#@tanstack/solid-start-server, GHSA-g7cv-rxg3-hmpx#@tanstack/start-client-core, GHSA-g7cv-rxg3-hmpx#@tanstack/start-fn-stubs, GHSA-g7cv-rxg3-hmpx#@tanstack/start-plugin-core, GHSA-g7cv-rxg3-hmpx#@tanstack/start-server-core, GHSA-g7cv-rxg3-hmpx#@tanstack/start-static-server-functions, GHSA-g7cv-rxg3-hmpx#@tanstack/start-storage-context, GHSA-g7cv-rxg3-hmpx#@tanstack/valibot-adapter, GHSA-g7cv-rxg3-hmpx#@tanstack/virtual-file-routes, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-router, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-router-devtools, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-router-ssr-query, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-start, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-start-client, GHSA-g7cv-rxg3-hmpx#@tanstack/vue-start-server, GHSA-g7cv-rxg3-hmpx#@tanstack/zod-adapter Published 2026-05-12 Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.
Check my repo