{"api_version":"1","generated_at":"2026-05-12T11:05:32+00:00","cve":"CVE-2026-45321","urls":{"html":"https://cve.report/CVE-2026-45321","api":"https://cve.report/api/cve/CVE-2026-45321.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-45321","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-45321"},"summary":{"title":"Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys","description":"On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-05-12 01:16:46","updated_at":"2026-05-12 01:16:46"},"problem_types":["CWE-506","CWE-506 CWE-506: Embedded Malicious Code"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"9.6","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.6","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://github.com/TanStack/router/issues/7383","name":"https://github.com/TanStack/router/issues/7383","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx","name":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-45321","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45321","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"@tanstack","product":"arktype-adapter","version":"affected 1.166.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"arktype-adapter","version":"affected 1.166.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"eslint-plugin-router","version":"affected 1.161.9","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"eslint-plugin-router","version":"affected 1.161.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"eslint-plugin-start","version":"affected 0.0.4","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"eslint-plugin-start","version":"affected 0.0.7","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"history","version":"affected 1.161.9","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"history","version":"affected 1.161.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"nitro-v2-vite-plugin","version":"affected 1.154.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"nitro-v2-vite-plugin","version":"affected 1.154.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router","version":"affected 1.169.5","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router","version":"affected 1.169.8","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router-devtools","version":"affected 1.166.16","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router-devtools","version":"affected 1.166.19","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router-ssr-query","version":"affected 1.166.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-router-ssr-query","version":"affected 1.166.18","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start","version":"affected 1.167.68","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start","version":"affected 1.167.71","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-client","version":"affected 1.166.51","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-client","version":"affected 1.166.54","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-rsc","version":"affected 0.0.47","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-rsc","version":"affected 0.0.50","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-server","version":"affected 1.166.55","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"react-start-server","version":"affected 1.166.58","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-cli","version":"affected 1.166.46","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-cli","version":"affected 1.166.49","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-core","version":"affected 1.169.5","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-core","version":"affected 1.169.8","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-devtools","version":"affected 1.166.16","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-devtools","version":"affected 1.166.19","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-devtools-core","version":"affected 1.167.6","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-devtools-core","version":"affected 1.167.9","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-generator","version":"affected 1.166.45","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-generator","version":"affected 1.166.48","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-plugin","version":"affected 1.167.38","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-plugin","version":"affected 1.167.41","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-ssr-query-core","version":"affected 1.168.3","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-ssr-query-core","version":"affected 1.168.6","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-utils","version":"affected 1.161.11","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"router-utils","version":"affected 1.161.14","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"outer-vite-plugin","version":"affected 1.166.53","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"outer-vite-plugin","version":"affected 1.166.56","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router","version":"affected 1.169.5","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router","version":"affected 1.169.8","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router-devtools","version":"affected 1.166.16","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router-devtools","version":"affected 1.166.19","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router-ssr-query","version":"affected 1.166.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-router-ssr-query","version":"affected 1.166.18","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start","version":"affected 1.167.65","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start","version":"affected 1.167.68","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start-client","version":"affected 1.166.50","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start-client","version":"affected 1.166.53","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start-server","version":"affected 1.166.54","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"solid-start-server","version":"affected 1.166.57","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-client-core","version":"affected 1.168.5","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-client-core","version":"affected 1.168.8","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-fn-stubs","version":"affected 1.161.9","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-fn-stubs","version":"affected 1.161.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-plugin-core","version":"affected 1.169.23","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-plugin-core","version":"affected 1.169.26","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-server-core","version":"affected 1.167.33","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-server-core","version":"affected 1.167.36","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-static-server-functions","version":"affected 1.166.44","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-static-server-functions","version":"affected 1.166.47","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-storage-context","version":"affected 1.166.38","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"start-storage-context","version":"affected 1.166.41","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"valibot-adapter","version":"affected 1.166.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"valibot-adapter","version":"affected 1.166.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"virtual-file-routes","version":"affected 1.161.10","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"virtual-file-routes","version":"affected 1.161.13","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router","version":"affected 1.169.5","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router","version":"affected 1.169.8","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router-devtools","version":"affected 1.166.16","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router-devtools","version":"affected 1.166.19","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router-ssr-query","version":"affected 1.166.15","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-router-ssr-query","version":"affected 1.166.18","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start","version":"affected 1.167.61","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start","version":"affected 1.167.64","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start-client","version":"affected 1.166.46","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start-client","version":"affected 1.166.49","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start-server","version":"affected 1.166.50","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"vue-start-server","version":"affected 1.166.53","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"zod-adapter","version":"affected 1.166.12","platforms":[]},{"source":"CNA","vendor":"@tanstack","product":"zod-adapter","version":"affected 1.166.15","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"product":"arktype-adapter","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.12"},{"status":"affected","version":"1.166.15"}]},{"product":"eslint-plugin-router","vendor":"@tanstack","versions":[{"status":"affected","version":"1.161.9"},{"status":"affected","version":"1.161.12"}]},{"product":"eslint-plugin-start","vendor":"@tanstack","versions":[{"status":"affected","version":"0.0.4"},{"status":"affected","version":"0.0.7"}]},{"product":"history","vendor":"@tanstack","versions":[{"status":"affected","version":"1.161.9"},{"status":"affected","version":"1.161.12"}]},{"product":"nitro-v2-vite-plugin","vendor":"@tanstack","versions":[{"status":"affected","version":"1.154.12"},{"status":"affected","version":"1.154.15"}]},{"product":"react-router","vendor":"@tanstack","versions":[{"status":"affected","version":"1.169.5"},{"status":"affected","version":"1.169.8"}]},{"product":"react-router-devtools","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.16"},{"status":"affected","version":"1.166.19"}]},{"product":"react-router-ssr-query","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.15"},{"status":"affected","version":"1.166.18"}]},{"product":"react-start","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.68"},{"status":"affected","version":"1.167.71"}]},{"product":"react-start-client","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.51"},{"status":"affected","version":"1.166.54"}]},{"product":"react-start-rsc","vendor":"@tanstack","versions":[{"status":"affected","version":"0.0.47"},{"status":"affected","version":"0.0.50"}]},{"product":"react-start-server","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.55"},{"status":"affected","version":"1.166.58"}]},{"product":"router-cli","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.46"},{"status":"affected","version":"1.166.49"}]},{"product":"router-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.169.5"},{"status":"affected","version":"1.169.8"}]},{"product":"router-devtools","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.16"},{"status":"affected","version":"1.166.19"}]},{"product":"router-devtools-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.6"},{"status":"affected","version":"1.167.9"}]},{"product":"router-generator","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.45"},{"status":"affected","version":"1.166.48"}]},{"product":"router-plugin","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.38"},{"status":"affected","version":"1.167.41"}]},{"product":"router-ssr-query-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.168.3"},{"status":"affected","version":"1.168.6"}]},{"product":"router-utils","vendor":"@tanstack","versions":[{"status":"affected","version":"1.161.11"},{"status":"affected","version":"1.161.14"}]},{"product":"outer-vite-plugin","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.53"},{"status":"affected","version":"1.166.56"}]},{"product":"solid-router","vendor":"@tanstack","versions":[{"status":"affected","version":"1.169.5"},{"status":"affected","version":"1.169.8"}]},{"product":"solid-router-devtools","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.16"},{"status":"affected","version":"1.166.19"}]},{"product":"solid-router-ssr-query","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.15"},{"status":"affected","version":"1.166.18"}]},{"product":"solid-start","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.65"},{"status":"affected","version":"1.167.68"}]},{"product":"solid-start-client","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.50"},{"status":"affected","version":"1.166.53"}]},{"product":"solid-start-server","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.54"},{"status":"affected","version":"1.166.57"}]},{"product":"start-client-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.168.5"},{"status":"affected","version":"1.168.8"}]},{"product":"start-fn-stubs","vendor":"@tanstack","versions":[{"status":"affected","version":"1.161.9"},{"status":"affected","version":"1.161.12"}]},{"product":"start-plugin-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.169.23"},{"status":"affected","version":"1.169.26"}]},{"product":"start-server-core","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.33"},{"status":"affected","version":"1.167.36"}]},{"product":"start-static-server-functions","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.44"},{"status":"affected","version":"1.166.47"}]},{"product":"start-storage-context","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.38"},{"status":"affected","version":"1.166.41"}]},{"product":"valibot-adapter","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.12"},{"status":"affected","version":"1.166.15"}]},{"product":"virtual-file-routes","vendor":"@tanstack","versions":[{"status":"affected","version":"1.161.10"},{"status":"affected","version":"1.161.13"}]},{"product":"vue-router","vendor":"@tanstack","versions":[{"status":"affected","version":"1.169.5"},{"status":"affected","version":"1.169.8"}]},{"product":"vue-router-devtools","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.16"},{"status":"affected","version":"1.166.19"}]},{"product":"vue-router-ssr-query","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.15"},{"status":"affected","version":"1.166.18"}]},{"product":"vue-start","vendor":"@tanstack","versions":[{"status":"affected","version":"1.167.61"},{"status":"affected","version":"1.167.64"}]},{"product":"vue-start-client","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.46"},{"status":"affected","version":"1.166.49"}]},{"product":"vue-start-server","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.50"},{"status":"affected","version":"1.166.53"}]},{"product":"zod-adapter","vendor":"@tanstack","versions":[{"status":"affected","version":"1.166.12"},{"status":"affected","version":"1.166.15"}]}],"descriptions":[{"lang":"en","value":"On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":9.6,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-506","description":"CWE-506: Embedded Malicious Code","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-12T00:12:35.452Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx","tags":["x_refsource_CONFIRM"],"url":"https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx"},{"name":"https://github.com/TanStack/router/issues/7383","tags":["x_refsource_MISC"],"url":"https://github.com/TanStack/router/issues/7383"}],"source":{"advisory":"GHSA-g7cv-rxg3-hmpx","discovery":"UNKNOWN"},"title":"Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-45321","datePublished":"2026-05-12T00:12:35.452Z","dateReserved":"2026-05-11T20:50:30.539Z","dateUpdated":"2026-05-12T00:12:35.452Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-12 01:16:46","lastModifiedDate":"2026-05-12 01:16:46","problem_types":["CWE-506","CWE-506 CWE-506: Embedded Malicious Code"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"45321","Ordinal":"1","Title":"Malware in 42 @tanstack/* packages exfiltrates cloud credentials","CVE":"CVE-2026-45321","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"45321","Ordinal":"1","NoteData":"On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target \"Pwn Request\" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.","Type":"Description","Title":"Malware in 42 @tanstack/* packages exfiltrates cloud credentials"}]}}}