Ctrl + K
/ news / CVE
CVEPublished 2026-05-12Modified 2026-05-291 article on news6 live referencesNVD data

CVE-2026-45321Tanstack · Tanstack\/arktype-adapter

Vulnerability data via NVD (ingested)

CVSS v3.1
9.6
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS percentile
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Timeline
Published 2026-05-12
Modified 2026-05-29

External references

NVDMITREExploit-DBGitHub PoCSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-45321
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product + version
product:"Tanstack Tanstack\/arktype-adapter" version:"1.166.12"
Version-pinned fingerprint from NVD's first vulnerable CPE.
Shodan · banner/body mention
http.html:"Tanstack\/arktype-adapter"
HTTP body or banner mentions "Tanstack\/arktype-adapter" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-45321
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-45321
Censys host search filtered to this CVE id.
grep.app
CVE-2026-45321
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-45321
GitHub code search for direct mentions.
Google dork
"CVE-2026-45321" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-453218 repos
nomi-sec/PoC-in-GitHubunknown
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
★ 7,813·updated today
DarkFunct/TK-CVE-RepoPython
TK-CVE-Repo
★ 51·updated 1d ago
nisten/shaiscanShell
vulnerability scanner for the shai-hulud worm, single sh script, deep fast scanning with ripgrep on linux and mac
★ 20·updated 3w ago
douglasmun/Douglas-Guidebookunknown
The Kubernetes Guidebook - Mastering Cloud-Native Orchestration From Fundamentals to Production
★ 19·updated 2w ago
Drasrax/npm-shai-hulud-scannerPython
Comprehensive detection tool for NPM supply chain attacks, specifically designed to identify and prevent the Shai-Hulud worm and Shai-Hulud 2-0-0 that compromised 1193+ packages i…
★ 14·updated today
peterhanily/maccrabC
🦀 MacCrab — Exoskeleton for your Mac. Local-first macOS threat detection engine that monitors AI coding tools, detects malware, and protects your system.
★ 9·updated 2d ago
barmi/cve-patch-auditorGo
Audit CVE impact, patch status, remediation progress, and verification results across systems.
★ 3·updated 3d ago
matt-coppinger/shai-hulud-defenderShell
Workspace ONE UEM sensors and scripts to detect, prevent, and remediate the Mini Shai-Hulud (TanStack/TeamPCP) supply-chain worm campaign on Windows and macOS endpoints.
★ 3·updated 3w ago
Articles on news mentioning CVE-2026-45321