—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Supply Chain Attack on @tanstack/* Packages

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Multiple @tanstack/* packages (42 packages affected)

@tanstack/arktype-adapter – 1.166.12, 1.166.15 

@tanstack/eslint-plugin-router – 1.161.9, 1.161.12 

@tanstack/eslint-plugin-start – 0.0.4, 0.0.7 

@tanstack/history – 1.161.9, 1.161.12 

@tanstack/nitro-v2-vite-plugin – 1.154.12, 1.154.15 

@tanstack/react-router – 1.169.5, 1.169.8

@tanstack/react-router-devtools – 1.166.16, 1.166.19

@tanstack/react-router-ssr-query -1.166.15, 1.166.18

@tanstack/react-start -1.167.68, 1.167.71 

@tanstack/react-start-client -1.166.51, 1.166.54 

@tanstack/react-start-rsc- 0.0.47, 0.0.50 

@tanstack/react-start-server – 1.166.55, 1.166.58

For the complete list of affected packages and versions, refer to url:

https://www.cve.org/CVERecord?id=CVE-2026-45321

Overview

A vulnerability has been reported in multiple @tanstack/* packages which allowed an attacker to publish malicious versions of the packages. The malicious version could be used to obtain sensitive information on the targeted systems.

Target Audience:

Organizations, developers, and individuals using affected @tanstack/* packages from the npm registry.

Risk Assessment:

Critical risk of information disclosure and credential compromise.

Impact Assessment:

Exposure of sensitive credentials and unauthorized access to affected environments.

Description

TanStack provides open-source libraries for building modern web applications.

Multiple vulnerabilities were utlised by an attacker to cause a supply chain compromise affecting multiple @tanstack/* packages. Attackers were able to publish malicious package versions containing credential-stealing code.

Successful exploitation of the malicious packages could allow attackers to obtain sensitive information on the targeted system.

Solution

Upgrade to the latest packages, remove any compromised versions, and rotate all potentially exposed credentials.

https://www.cve.org/CVERecord?id=CVE-2026-45321

Vendor Information

 

https://tanstack.com/

https://github.com/TanStack/router/security/advisories/

References

 

https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx

CVE Name

CVE-2026-45321

 

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmooLOIACgkQ3jCgcSdc

ys+3lg/8C4GC8yo0Dx4INvUA9vGfje8VV/c80njocHfTAzt9Hg9FCgjqvOKkhOq7

JPneZ3D3wKf1A7p6TUSajAq3sWC01lj7Z2HTtGbhMT4JJpXO90FvqwMoTtmL/wNj

PtEWFYDA8FYGAtaeZceLjo9WRUx2QiDM0ViMayJryy5q20vMOQz+XWQL7YcS84uE

GPK2gpWDHqsqpTTUD4kCBkPP05E1AF2pHLVOKvmaTtDVyrSbRwBY/1CMnoyLm6ny

YYCmCiqsub2cXnAZra4CxRBb8iNSsBi9acWJ6goSHdiQYDBGAqSfbNlLHfP0hhwU

E4tueZJfSbG2VZEwyaFEBjx/hGBEMwywuM5HKUXnt/LsDaGgMzMFCep/plx00/39

VEEOHck9FpYtNb2bhCsIWQcMloiDZgHWgJnBY6+lwrXYduNfgjQCmxTFkTbTRFTp

fZ61mPy7CdOpumnmLyJ8+OEThsitxU4/Niyzm6o4ZQDUfcLRWmjPdTf6MnV37l8q

D4rS/cMK8zMS+9XHpeBJ0Klow9tEMTnhQcVE4oTVf5PUdOJL+CC/zFYGeDXyS59h

/e/6dXiyh5wVaU0vzm9MBmwd57dN2u5PQpuTNAq2KppFS1RPUcSvZvS6RLec5m7K

ryeWR/qXeJFme+WZVVvAiNae+HuJFaQfGHT9mztVZgj4dnobXFw=

=wE2y

—–END PGP SIGNATURE—–