Impact statement: CVE-2026-45321 is a critical npm supply-chain incident affecting maliciously published @tanstack/* package versions. GitHub Security Advisories and NVD report that 84 malicious versions across 42 TanStack packages were published on May 11, 2026. If a developer workstation, CI runner, hosting build server, or deployment pipeline installed one of the affected versions during the exposure window, treat that environment as potentially compromised.
This matters for agencies, hosting providers, and site owners because modern websites are often built before they are uploaded. A compromised build machine can expose cloud keys, npm tokens, GitHub tokens, SSH deploy keys, Kubernetes credentials, and other secrets even when the public website itself looks normal.
Who Should Care
- Developers using TanStack Router, TanStack Start, or related TanStack packages in React, Solid, Vue, or server-rendered apps.
- Agencies building customer sites with npm, pnpm, yarn, or Bun-based workflows.
- Hosting providers that run customer build steps on shared build servers or CI runners.
- Teams that deployed from GitHub Actions, GitLab CI, Bitbucket Pipelines, self-hosted runners, or developer laptops on May 11, 2026.
- Anyone with cloud, npm, GitHub, SSH, Vault, or Kubernetes secrets available to a JavaScript install process.
What Happened
The official GitHub advisory says malicious TanStack package versions were published to npm between about 19:20 and 19:26 UTC on May 11, 2026. NVD assigned CVSS 9.6 Critical. The risk is not that a visitor browsing your finished website automatically triggers the issue. The highest risk is the machine that ran the package install: developer laptops, CI runners, build containers, preview deploy workers, and hosting automation.
If a build environment installed an affected version, assume secrets reachable by that process may have been exposed. Do not stop at updating the package. Rotate credentials and review logs.
Affected Packages And Versions
The full official list is long: 42 packages, with two affected versions for each package. Use the GitHub Security Advisory as the version authority because package deprecation, unpublishing, and follow-up releases can change quickly.
| Package family | Examples to check | Action |
|---|---|---|
| Router packages | @tanstack/react-router, @tanstack/vue-router, @tanstack/solid-router, @tanstack/router-core | Update to the clean version listed in the GitHub advisory or newer. |
| Start packages | @tanstack/react-start, @tanstack/vue-start, @tanstack/solid-start, start client/server helpers | Update, rebuild from a clean dependency tree, and rotate exposed secrets. |
| Tooling packages | Router CLI, router plugins, Vite plugins, generators, devtools, adapters | Check lockfiles and CI logs because tooling often runs in privileged build environments. |
Commonly seen packages include @tanstack/react-router, @tanstack/router-core, @tanstack/react-start, @tanstack/router-plugin, @tanstack/router-vite-plugin, @tanstack/vue-router, and @tanstack/solid-router. The official advisory includes the exact affected and patched versions for every listed package.
First 15 Minutes: Contain The Build Environment
- Pause deployments for projects that use @tanstack/* packages until lockfiles are checked.
- Freeze or quarantine CI runners that performed installs during the May 11 exposure window.
- Temporarily disable package install lifecycle scripts for investigation and rebuilds where your workflow allows it.
- Rotate secrets that were available to affected developer machines, build servers, runners, and deployment jobs.
- Rebuild from a clean runner after packages are pinned to safe versions.
# Search common project files for TanStack dependencies.
grep -R '"@tanstack/' package.json package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null || true
# Find JavaScript projects under common hosting/build paths.
find /home /var/www -maxdepth 4 -name package.json -print 2>/dev/null
# Show the local npm lifecycle-script setting.
npm config get ignore-scripts
# Temporary defense-in-depth during triage.
npm config set ignore-scripts trueDo not run a fresh install on a suspect machine just to “see what happens.” Use clean runners, clean containers, and vendor-patched package versions.
What To Rotate
If an affected install may have run, rotate anything the install process could read. Start with the highest-impact secrets first:
- npm access tokens and automation tokens.
- GitHub, GitLab, and Bitbucket tokens available to the runner or developer account.
- Cloud credentials for AWS, Google Cloud, Azure, or other providers.
- SSH deploy keys and machine user keys.
- Kubernetes service-account tokens and kubeconfig files.
- Vault, secrets-manager, and deployment platform tokens.
- Webhook signing secrets and application deployment keys.
Safe Checks For Developers
Check lockfiles, CI logs, and package manager history for affected TanStack versions. Compare findings against the official GitHub advisory. These checks are defensive inventory steps; they do not validate the malware on a live target.
# Show TanStack package references in lockfiles.
grep -R '@tanstack/' package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null || true
# Check current top-level TanStack packages without adding anything new.
npm ls --depth=0 2>/dev/null | grep '@tanstack/' || true
# After updating package versions, confirm the lockfile changed.
git diff -- package.json package-lock.json pnpm-lock.yaml yarn.lockIf the project has no lockfile, treat that as a separate supply-chain problem. Add lockfiles, pin known-good versions, and use repeatable builds.
Hosting Provider Checklist
- Search managed build hosts for projects using @tanstack/*.
- Identify jobs that ran package installs between 19:20 and 19:30 UTC on May 11, 2026.
- Rotate deployment keys and tokens used by affected jobs.
- Rebuild customer sites from clean runners after dependency updates.
- Review cloud audit logs, source-control audit logs, npm access-token activity, and deployment logs.
- Notify affected customers with plain instructions: what happened, what was rotated, what they need to rotate, and whether a rebuild was performed.
What To Tell Customers
Use clear language. Example:
A critical npm supply-chain issue affected certain TanStack package versions published on May 11, 2026. We are checking whether your project installed those versions, rotating affected deployment credentials where needed, and rebuilding from clean dependencies. This is a build-chain issue, not proof that visitors to your public website were attacked.
CDN And WAF Virtual Patch Note
This is primarily a package-install and CI/build compromise risk, so a normal CDN/WAF rule cannot replace dependency cleanup or secret rotation. The CDN side should still review managed customers for exposed build panels, suspicious deployment flows, and emergency customer notification paths. If a customer routes build/admin tools through the edge, tighten access and require trusted admin networks.
Sources
Need help reviewing a build server, npm lockfile, or hosting deployment pipeline after this TanStack incident? Open a ticket through Help4Network.com.
