CVE-2026-45321 - Vulnerability Details

- Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Published: 2026-05-12

Score: 9.6 Critical

EPSS: 2.3% Low

KEV: Yes

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

@tanstack

arktype-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

eslint-plugin-router

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

eslint-plugin-start

affected

Version	Status	Constraints
`0.0.4`	affected	—
`0.0.7`	affected	—

@tanstack

history

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

nitro-v2-vite-plugin

affected

Version	Status	Constraints
`1.154.12`	affected	—
`1.154.15`	affected	—

@tanstack

react-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

react-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

react-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

react-start

affected

Version	Status	Constraints
`1.167.68`	affected	—
`1.167.71`	affected	—

@tanstack

react-start-client

affected

Version	Status	Constraints
`1.166.51`	affected	—
`1.166.54`	affected	—

@tanstack

react-start-rsc

affected

Version	Status	Constraints
`0.0.47`	affected	—
`0.0.50`	affected	—

@tanstack

react-start-server

affected

Version	Status	Constraints
`1.166.55`	affected	—
`1.166.58`	affected	—

@tanstack

router-cli

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

router-core

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

router-devtools-core

affected

Version	Status	Constraints
`1.167.6`	affected	—
`1.167.9`	affected	—

@tanstack

router-generator

affected

Version	Status	Constraints
`1.166.45`	affected	—
`1.166.48`	affected	—

@tanstack

router-plugin

affected

Version	Status	Constraints
`1.167.38`	affected	—
`1.167.41`	affected	—

@tanstack

router-ssr-query-core

affected

Version	Status	Constraints
`1.168.3`	affected	—
`1.168.6`	affected	—

@tanstack

router-utils

affected

Version	Status	Constraints
`1.161.11`	affected	—
`1.161.14`	affected	—

@tanstack

outer-vite-plugin

affected

Version	Status	Constraints
`1.166.53`	affected	—
`1.166.56`	affected	—

@tanstack

solid-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

solid-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

solid-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

solid-start

affected

Version	Status	Constraints
`1.167.65`	affected	—
`1.167.68`	affected	—

@tanstack

solid-start-client

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

solid-start-server

affected

Version	Status	Constraints
`1.166.54`	affected	—
`1.166.57`	affected	—

@tanstack

start-client-core

affected

Version	Status	Constraints
`1.168.5`	affected	—
`1.168.8`	affected	—

@tanstack

start-fn-stubs

affected

Version	Status	Constraints
`1.161.9`	affected	—
`1.161.12`	affected	—

@tanstack

start-plugin-core

affected

Version	Status	Constraints
`1.169.23`	affected	—
`1.169.26`	affected	—

@tanstack

start-server-core

affected

Version	Status	Constraints
`1.167.33`	affected	—
`1.167.36`	affected	—

@tanstack

start-static-server-functions

affected

Version	Status	Constraints
`1.166.44`	affected	—
`1.166.47`	affected	—

@tanstack

start-storage-context

affected

Version	Status	Constraints
`1.166.38`	affected	—
`1.166.41`	affected	—

@tanstack

valibot-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

@tanstack

virtual-file-routes

affected

Version	Status	Constraints
`1.161.10`	affected	—
`1.161.13`	affected	—

@tanstack

vue-router

affected

Version	Status	Constraints
`1.169.5`	affected	—
`1.169.8`	affected	—

@tanstack

vue-router-devtools

affected

Version	Status	Constraints
`1.166.16`	affected	—
`1.166.19`	affected	—

@tanstack

vue-router-ssr-query

affected

Version	Status	Constraints
`1.166.15`	affected	—
`1.166.18`	affected	—

@tanstack

vue-start

affected

Version	Status	Constraints
`1.167.61`	affected	—
`1.167.64`	affected	—

@tanstack

vue-start-client

affected

Version	Status	Constraints
`1.166.46`	affected	—
`1.166.49`	affected	—

@tanstack

vue-start-server

affected

Version	Status	Constraints
`1.166.50`	affected	—
`1.166.53`	affected	—

@tanstack

zod-adapter

affected

Version	Status	Constraints
`1.166.12`	affected	—
`1.166.15`	affected	—

Configuration 1 [-]

OR	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js::

Configuration 2 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js::

Configuration 3 [-]

OR	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js::

Configuration 4 [-]

OR	cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js::

Configuration 5 [-]

OR	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js::

Configuration 6 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js::

Configuration 7 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js::

Configuration 8 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js::

Configuration 9 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js::

Configuration 10 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js::

Configuration 11 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js::

Configuration 12 [-]

OR	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js::

Configuration 13 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js::

Configuration 14 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js::

Configuration 15 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js::

Configuration 16 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js::

Configuration 17 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js::

Configuration 18 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js::

Configuration 19 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js::

Configuration 20 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js::

Configuration 21 [-]

OR	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js::

Configuration 22 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js::

Configuration 23 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js::

Configuration 24 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js::

Configuration 25 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js::

Configuration 26 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js::

Configuration 27 [-]

OR	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js::

Configuration 28 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js::

Configuration 29 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js::

Configuration 30 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js::

Configuration 31 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js::

Configuration 32 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js::

Configuration 33 [-]

OR	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js::

Configuration 34 [-]

OR	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js::

Configuration 35 [-]

OR	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js::

Configuration 36 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js::

Configuration 37 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js::

Configuration 38 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js::

Configuration 39 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js::

Configuration 40 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js::

Configuration 41 [-]

OR	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js::

Configuration 42 [-]

OR	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js::
	cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::

Configuration 43 [-]

OR	cpe:2.3:a:mistral:mistralai:2.4.6:::::python::
	cpe:2.3:a:mistral:mistralai\/mistralai:2.2.3:::::node.js::
	cpe:2.3:a:mistral:mistralai\/mistralai:2.2.4:::::node.js::
	cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.2:::::node.js::
	cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.3:::::node.js::
	cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.2:::::node.js::
	cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.3:::::node.js::

Configuration 44 [-]

OR	cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.4:::::node.js::
	cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.5:::::node.js::
	cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.2:::::node.js::
	cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.3:::::node.js::
	cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.3:::::node.js::
	cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.4:::::node.js::

Configuration 45 [-]

OR	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.2:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.3:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.4:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.5:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.6:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.7:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.8:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.9:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.10:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.11:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.12:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.13:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.14:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.15:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.16:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.17:::::node.js::
	cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.19:::::node.js::

Configuration 46 [-]

OR	cpe:2.3:a:christianalares:git-git-git:1.0.8:::::node.js::
	cpe:2.3:a:christianalares:git-git-git:1.0.9:::::node.js::
	cpe:2.3:a:christianalares:git-git-git:1.0.10:::::node.js::
	cpe:2.3:a:christianalares:git-git-git:1.0.12:::::node.js::
	cpe:2.3:a:christianalares:git_branch_selector:1.3.3:::::node.js::
	cpe:2.3:a:christianalares:git_branch_selector:1.3.4:::::node.js::
	cpe:2.3:a:christianalares:git_branch_selector:1.3.5:::::node.js::
	cpe:2.3:a:christianalares:git_branch_selector:1.3.7:::::node.js::
	cpe:2.3:a:christianalares:nextmove-mcp:0.1.3:::::node.js::
	cpe:2.3:a:christianalares:nextmove-mcp:0.1.4:::::node.js::
	cpe:2.3:a:christianalares:nextmove-mcp:0.1.5:::::node.js::
	cpe:2.3:a:christianalares:nextmove-mcp:0.1.7:::::node.js::
	cpe:2.3:a:christianalares:tolka\/cli:1.0.2:::::node.js::
	cpe:2.3:a:christianalares:tolka\/cli:1.0.3:::::node.js::
	cpe:2.3:a:christianalares:tolka\/cli:1.0.4:::::node.js::
	cpe:2.3:a:christianalares:tolka\/cli:1.0.6:::::node.js::

Configuration 47 [-]

OR	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.3:::::node.js::
	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.4:::::node.js::
	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.5:::::node.js::
	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.6:::::node.js::
	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.7:::::node.js::
	cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.8:::::node.js::

Configuration 48 [-]

OR	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.2:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.3:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.4:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.5:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.6:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.7:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.2:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.3:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.4:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.5:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.6:::::node.js::
	cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.7:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.24:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.25:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.26:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.27:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.28:::::node.js::
	cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.29:::::node.js::

Configuration 49 [-]

OR	cpe:2.3:a:kilbot:tallyui\/components:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/components:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/components:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/core:0.2.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/core:0.2.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/core:0.2.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/database:1.0.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/database:1.0.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/database:1.0.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/pos:0.1.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/pos:0.1.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/pos:0.1.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.3:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/theme:0.2.1:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/theme:0.2.2:::::node.js::
	cpe:2.3:a:kilbot:tallyui\/theme:0.2.3:::::node.js::

Configuration 50 [-]

OR	cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.1:::::node.js::
	cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.2:::::node.js::
	cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.1:::::node.js::
	cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.2:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.1:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.2:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.1:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.2:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.1:::::node.js::
	cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.2:::::node.js::
	cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.3:::::node.js::
	cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.4:::::node.js::

Configuration 51 [-]

OR	cpe:2.3:a:neilcochran:cross-stitch:1.1.3:::::node.js::
	cpe:2.3:a:neilcochran:cross-stitch:1.1.4:::::node.js::
	cpe:2.3:a:neilcochran:cross-stitch:1.1.6:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airports:0.6.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airports:0.6.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airports:0.6.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace:0.8.1:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace:0.8.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace:0.8.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.6:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airways:0.4.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airways:0.4.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/airways:0.4.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fixes:0.3.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fixes:0.3.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/fixes:0.3.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/geo:0.4.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/geo:0.4.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/geo:0.4.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/mcp:0.9.1:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/mcp:0.9.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/mcp:0.9.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaids:0.4.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaids:0.4.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/navaids:0.4.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/notams:0.3.6:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/notams:0.3.7:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/notams:0.3.9:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.6:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedures:0.5.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedures:0.5.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/procedures:0.5.5:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/types:0.8.1:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/types:0.8.2:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/types:0.8.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/units:0.4.3:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/units:0.4.4:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/units:0.4.6:::::node.js::
	cpe:2.3:a:neilcochran:squawk\/weather:0.5.6:::::node.js::
cpe:2.3:a:neilcochran:squawk\/weather:0.5.7:::::node.js::
cpe:2.3:a:neilcochran:squawk\/weather:0.5.9:::::node.js::
cpe:2.3:a:neilcochran:ts-dna:3.0.1:::::node.js::
cpe:2.3:a:neilcochran:ts-dna:3.0.2:::::node.js::
cpe:2.3:a:neilcochran:ts-dna:3.0.4:::::node.js::
cpe:2.3:a:neilcochran:wot-api:0.8.1:::::node.js::
cpe:2.3:a:neilcochran:wot-api:0.8.2:::::node.js::
cpe:2.3:a:neilcochran:wot-api:0.8.4:::::node.js::

Configuration 52 [-]

OR	cpe:2.3:a:agentworkhq:agentwork-cli:0.1.4:::::node.js::
	cpe:2.3:a:agentworkhq:agentwork-cli:0.1.5:::::node.js::
	cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.2:::::node.js::
	cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.3:::::node.js::
	cpe:2.3:a:guardrailsai:guardrails_ai:0.10.1:::::python::
	cpe:2.3:a:linuxfoundation:opensearch:3.6.2:::::node.js::
	cpe:2.3:a:mesa:mesadev\/rest:0.28.3:::::node.js::
	cpe:2.3:a:mesa:mesadev\/saguaro:0.4.22:::::node.js::
	cpe:2.3:a:mesa:mesadev\/sdk:0.28.3:::::node.js::

Configuration 53 [-]

OR	cpe:2.3:a:uipath:uipath\/access-policy-sdk:0.3.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/access-policy-tool:0.3.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/admin-tool:0.1.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/agent-sdk:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/agent-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/agent.sdk:0.0.18:::::node.js::
	cpe:2.3:a:uipath:uipath\/aops-policy-tool:0.3.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/ap-chat:1.5.7:::::node.js::
	cpe:2.3:a:uipath:uipath\/api-workflow-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/apollo-core:5.9.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/apollo-react:4.24.5:::::node.js::
	cpe:2.3:a:uipath:uipath\/apollo-wind:2.16.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/auth:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/case-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/cli:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/codedagent-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/codedagents-tool:0.1.12:::::node.js::
	cpe:2.3:a:uipath:uipath\/codedapp-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/common:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/context-grounding-tool:0.1.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/data-fabric-tool:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/docsai-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/filesystem:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/flow-tool:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/functions-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/gov-tool:0.3.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/identity-tool:0.1.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/insights-sdk:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/insights-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/integrationservice-sdk:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/integrationservice-tool:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/llmgw-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/maestro-sdk:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/maestro-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/orchestrator-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-apiworkflow:0.0.19:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-bpmn:0.0.9:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-case:0.0.9:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-connector:0.0.19:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-flow:0.0.19:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-functions:0.1.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-webapp:1.0.6:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler:0.0.16:::::node.js::
	cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler-browser:0.0.34:::::node.js::
	cpe:2.3:a:uipath:uipath\/platform-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/project-packager:1.1.16:::::node.js::
	cpe:2.3:a:uipath:uipath\/resource-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/resourcecatalog-tool:0.1.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/resources-tool:0.1.11:::::node.js::
	cpe:2.3:a:uipath:uipath\/robot:1.3.4:::::node.js::
	cpe:2.3:a:uipath:uipath\/rpa-legacy-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/rpa-tool:0.9.5:::::node.js::
	cpe:2.3:a:uipath:uipath\/solution-packager:0.0.35:::::node.js::
	cpe:2.3:a:uipath:uipath\/solution-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/solutionpackager-sdk:1.0.11:::::node.js::
	cpe:2.3:a:uipath:uipath\/solutionpackager-tool-core:0.0.34:::::node.js::
	cpe:2.3:a:uipath:uipath\/tasks-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/telemetry:0.0.7:::::node.js::
	cpe:2.3:a:uipath:uipath\/test-manager-tool:1.0.2:::::node.js::
	cpe:2.3:a:uipath:uipath\/tool-workflowcompiler:0.0.12:::::node.js::
	cpe:2.3:a:uipath:uipath\/traces-tool:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/ui-widgets-multi-file-upload:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/uipath-python-bridge:1.0.1:::::node.js::
	cpe:2.3:a:uipath:uipath\/vertical-solutions-tool:1.0.1:::::node.js::
cpe:2.3:a:uipath:uipath\/vss:0.1.6:::::node.js::
cpe:2.3:a:uipath:uipath\/widget.sdk:1.2.3:::::node.js::

No data.

Vendor Product Confidence Versions

Tanstack

Arktype-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Tanstack

Eslint-plugin-router

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Eslint-plugin-start

100%

Version	Status	Scheme	Platform
`0.0.4`	affected	semver	—
`0.0.7`	affected	semver	—

Tanstack

History

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Nitro-v2-vite-plugin

100%

Version	Status	Scheme	Platform
`1.154.12`	affected	semver	—
`1.154.15`	affected	semver	—

Tanstack

Outer-vite-plugin

100%

Version	Status	Scheme	Platform
`1.166.53`	affected	semver	—
`1.166.56`	affected	semver	—

Tanstack

React-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

React-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

React-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

React-start

100%

Version	Status	Scheme	Platform
`1.167.68`	affected	semver	—
`1.167.71`	affected	semver	—

Tanstack

React-start-client

100%

Version	Status	Scheme	Platform
`1.166.51`	affected	semver	—
`1.166.54`	affected	semver	—

Tanstack

React-start-rsc

100%

Version	Status	Scheme	Platform
`0.0.47`	affected	semver	—
`0.0.50`	affected	semver	—

Tanstack

React-start-server

100%

Version	Status	Scheme	Platform
`1.166.55`	affected	semver	—
`1.166.58`	affected	semver	—

Tanstack

Router-cli

100%

Version	Status	Scheme	Platform
`1.166.46`	affected	semver	—
`1.166.49`	affected	semver	—

Tanstack

Router-core

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Router-devtools-core

100%

Version	Status	Scheme	Platform
`1.167.6`	affected	semver	—
`1.167.9`	affected	semver	—

Tanstack

Router-generator

100%

Version	Status	Scheme	Platform
`1.166.45`	affected	semver	—
`1.166.48`	affected	semver	—

Tanstack

Router-plugin

100%

Version	Status	Scheme	Platform
`1.167.38`	affected	semver	—
`1.167.41`	affected	semver	—

Tanstack

Router-ssr-query-core

100%

Version	Status	Scheme	Platform
`1.168.3`	affected	semver	—
`1.168.6`	affected	semver	—

Tanstack

Router-utils

100%

Version	Status	Scheme	Platform
`1.161.11`	affected	semver	—
`1.161.14`	affected	semver	—

Tanstack

Solid-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Solid-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Solid-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

Solid-start

100%

Version	Status	Scheme	Platform
`1.167.65`	affected	semver	—
`1.167.68`	affected	semver	—

Tanstack

Solid-start-client

100%

Version	Status	Scheme	Platform
`1.166.50`	affected	semver	—
`1.166.53`	affected	semver	—

Tanstack

Solid-start-server

100%

Version	Status	Scheme	Platform
`1.166.54`	affected	semver	—
`1.166.57`	affected	semver	—

Tanstack

Start-client-core

100%

Version	Status	Scheme	Platform
`1.168.5`	affected	semver	—
`1.168.8`	affected	semver	—

Tanstack

Start-fn-stubs

100%

Version	Status	Scheme	Platform
`1.161.9`	affected	semver	—
`1.161.12`	affected	semver	—

Tanstack

Start-plugin-core

100%

Version	Status	Scheme	Platform
`1.169.23`	affected	semver	—
`1.169.26`	affected	semver	—

Tanstack

Start-server-core

100%

Version	Status	Scheme	Platform
`1.167.33`	affected	semver	—
`1.167.36`	affected	semver	—

Tanstack

Start-static-server-functions

100%

Version	Status	Scheme	Platform
`1.166.44`	affected	semver	—
`1.166.47`	affected	semver	—

Tanstack

Start-storage-context

100%

Version	Status	Scheme	Platform
`1.166.38`	affected	semver	—
`1.166.41`	affected	semver	—

Tanstack

Valibot-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Tanstack

Virtual-file-routes

100%

Version	Status	Scheme	Platform
`1.161.10`	affected	semver	—
`1.161.13`	affected	semver	—

Tanstack

Vue-router

100%

Version	Status	Scheme	Platform
`1.169.5`	affected	semver	—
`1.169.8`	affected	semver	—

Tanstack

Vue-router-devtools

100%

Version	Status	Scheme	Platform
`1.166.16`	affected	semver	—
`1.166.19`	affected	semver	—

Tanstack

Vue-router-ssr-query

100%

Version	Status	Scheme	Platform
`1.166.15`	affected	semver	—
`1.166.18`	affected	semver	—

Tanstack

Vue-start

100%

Version	Status	Scheme	Platform
`1.167.61`	affected	semver	—
`1.167.64`	affected	semver	—

Tanstack

Vue-start-client

100%

Version	Status	Scheme	Platform
`1.166.46`	affected	semver	—
`1.166.49`	affected	semver	—

Tanstack

Vue-start-server

100%

Version	Status	Scheme	Platform
`1.166.50`	affected	semver	—
`1.166.53`	affected	semver	—

Tanstack

Zod-adapter

100%

Version	Status	Scheme	Platform
`1.166.12`	affected	semver	—
`1.166.15`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-g7cv-rxg3-hmpx	Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since May 27, 2026.

The EPSS score is 0.02342.

Exploitation active

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/TanStack/router/issues/7383
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321
https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

History

Fri, 29 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Abhishake1 Abhishake1 supersurkhet\/cli Abhishake1 supersurkhet\/sdk Abhishake1 taskflow-corp\/cli Agentworkhq Agentworkhq agentwork-cli Antoinebcx Antoinebcx ml-toolkit-ts Antoinebcx ml-toolkit-ts\/preprocessing Antoinebcx ml-toolkit-ts\/xgboost Beproduct Beproduct beproduct\/nestjs-auth Christianalares Christianalares git-git-git Christianalares git Branch Selector Christianalares nextmove-mcp Christianalares tolka\/cli Dirigible Dirigible dirigible-ai\/sdk Guardrailsai Guardrailsai guardrails Ai Kilbot Kilbot tallyui\/components Kilbot tallyui\/connector-medusa Kilbot tallyui\/connector-shopify Kilbot tallyui\/connector-vendure Kilbot tallyui\/connector-woocommerce Kilbot tallyui\/core Kilbot tallyui\/database Kilbot tallyui\/pos Kilbot tallyui\/storage-sqlite Kilbot tallyui\/theme Linuxfoundation Linuxfoundation opensearch Matheuspergoli Matheuspergoli draftauth\/client Matheuspergoli draftauth\/core Matheuspergoli draftlab\/auth Matheuspergoli draftlab\/auth-router Matheuspergoli draftlab\/db Matheuspergoli simple Type-safe Actions Mesa Mesa mesadev\/rest Mesa mesadev\/saguaro Mesa mesadev\/sdk Mistral Mistral mistralai Mistral mistralai\/mistralai Mistral mistralai\/mistralai-azure Mistral mistralai\/mistralai-gcp Multiagentcognition Multiagentcognition cmux-agent-mcp Neilcochran Neilcochran cross-stitch Neilcochran squawk\/airports Neilcochran squawk\/airspace Neilcochran squawk\/airspace-data Neilcochran squawk\/airway-data Neilcochran squawk\/airways Neilcochran squawk\/fix-data Neilcochran squawk\/fixes Neilcochran squawk\/flight-math Neilcochran squawk\/flightplan Neilcochran squawk\/geo Neilcochran squawk\/icao-registry Neilcochran squawk\/icao-registry-data Neilcochran squawk\/mcp Neilcochran squawk\/navaid-data Neilcochran squawk\/navaids Neilcochran squawk\/notams Neilcochran squawk\/procedure-data Neilcochran squawk\/procedures Neilcochran squawk\/types Neilcochran squawk\/units Neilcochran squawk\/weather Neilcochran ts-dna Neilcochran wot-api Uipath Uipath uipath\/access-policy-sdk Uipath uipath\/access-policy-tool Uipath uipath\/admin-tool Uipath uipath\/agent-sdk Uipath uipath\/agent-tool Uipath uipath\/agent.sdk Uipath uipath\/aops-policy-tool Uipath uipath\/ap-chat Uipath uipath\/api-workflow-tool Uipath uipath\/apollo-core Uipath uipath\/apollo-react Uipath uipath\/apollo-wind Uipath uipath\/auth Uipath uipath\/case-tool Uipath uipath\/cli Uipath uipath\/codedagent-tool Uipath uipath\/codedagents-tool Uipath uipath\/codedapp-tool Uipath uipath\/common Uipath uipath\/context-grounding-tool Uipath uipath\/data-fabric-tool Uipath uipath\/docsai-tool Uipath uipath\/filesystem Uipath uipath\/flow-tool Uipath uipath\/functions-tool Uipath uipath\/gov-tool Uipath uipath\/identity-tool Uipath uipath\/insights-sdk Uipath uipath\/insights-tool Uipath uipath\/integrationservice-sdk Uipath uipath\/integrationservice-tool Uipath uipath\/llmgw-tool Uipath uipath\/maestro-sdk Uipath uipath\/maestro-tool Uipath uipath\/orchestrator-tool Uipath uipath\/packager-tool-apiworkflow Uipath uipath\/packager-tool-bpmn Uipath uipath\/packager-tool-case Uipath uipath\/packager-tool-connector Uipath uipath\/packager-tool-flow Uipath uipath\/packager-tool-functions Uipath uipath\/packager-tool-webapp Uipath uipath\/packager-tool-workflowcompiler Uipath uipath\/packager-tool-workflowcompiler-browser Uipath uipath\/platform-tool Uipath uipath\/project-packager Uipath uipath\/resource-tool Uipath uipath\/resourcecatalog-tool Uipath uipath\/resources-tool Uipath uipath\/robot Uipath uipath\/rpa-legacy-tool Uipath uipath\/rpa-tool Uipath uipath\/solution-packager Uipath uipath\/solution-tool Uipath uipath\/solutionpackager-sdk Uipath uipath\/solutionpackager-tool-core Uipath uipath\/tasks-tool Uipath uipath\/telemetry Uipath uipath\/test-manager-tool Uipath uipath\/tool-workflowcompiler Uipath uipath\/traces-tool Uipath uipath\/ui-widgets-multi-file-upload Uipath uipath\/uipath-python-bridge Uipath uipath\/vertical-solutions-tool Uipath uipath\/vss Uipath uipath\/widget.sdk
CPEs		cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.2:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.3:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.4:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.5:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.6:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/cli:0.0.7:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.2:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.3:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.4:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.5:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.6:::::node.js:: cpe:2.3:a:abhishake1:supersurkhet\/sdk:0.0.7:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.24:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.25:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.26:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.27:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.28:::::node.js:: cpe:2.3:a:abhishake1:taskflow-corp\/cli:0.1.29:::::node.js:: cpe:2.3:a:agentworkhq:agentwork-cli:0.1.4:::::node.js:: cpe:2.3:a:agentworkhq:agentwork-cli:0.1.5:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.4:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts:1.0.5:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.2:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts\/preprocessing:1.0.3:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.3:::::node.js:: cpe:2.3:a:antoinebcx:ml-toolkit-ts\/xgboost:1.0.4:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.10:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.11:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.12:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.13:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.14:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.15:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.16:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.17:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.19:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.2:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.3:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.4:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.5:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.6:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.7:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.8:::::node.js:: cpe:2.3:a:beproduct:beproduct\/nestjs-auth:0.1.9:::::node.js:: cpe:2.3:a:christianalares:git-git-git:1.0.10:::::node.js:: cpe:2.3:a:christianalares:git-git-git:1.0.12:::::node.js:: cpe:2.3:a:christianalares:git-git-git:1.0.8:::::node.js:: cpe:2.3:a:christianalares:git-git-git:1.0.9:::::node.js:: cpe:2.3:a:christianalares:git_branch_selector:1.3.3:::::node.js:: cpe:2.3:a:christianalares:git_branch_selector:1.3.4:::::node.js:: cpe:2.3:a:christianalares:git_branch_selector:1.3.5:::::node.js:: cpe:2.3:a:christianalares:git_branch_selector:1.3.7:::::node.js:: cpe:2.3:a:christianalares:nextmove-mcp:0.1.3:::::node.js:: cpe:2.3:a:christianalares:nextmove-mcp:0.1.4:::::node.js:: cpe:2.3:a:christianalares:nextmove-mcp:0.1.5:::::node.js:: cpe:2.3:a:christianalares:nextmove-mcp:0.1.7:::::node.js:: cpe:2.3:a:christianalares:tolka\/cli:1.0.2:::::node.js:: cpe:2.3:a:christianalares:tolka\/cli:1.0.3:::::node.js:: cpe:2.3:a:christianalares:tolka\/cli:1.0.4:::::node.js:: cpe:2.3:a:christianalares:tolka\/cli:1.0.6:::::node.js:: cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.2:::::node.js:: cpe:2.3:a:dirigible:dirigible-ai\/sdk:0.6.3:::::node.js:: cpe:2.3:a:guardrailsai:guardrails_ai:0.10.1:::::python:: cpe:2.3:a:kilbot:tallyui\/components:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/components:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/components:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-medusa:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-shopify:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-vendure:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/connector-woocommerce:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/core:0.2.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/core:0.2.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/core:0.2.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/database:1.0.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/database:1.0.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/database:1.0.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/pos:0.1.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/pos:0.1.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/pos:0.1.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/storage-sqlite:0.2.3:::::node.js:: cpe:2.3:a:kilbot:tallyui\/theme:0.2.1:::::node.js:: cpe:2.3:a:kilbot:tallyui\/theme:0.2.2:::::node.js:: cpe:2.3:a:kilbot:tallyui\/theme:0.2.3:::::node.js:: cpe:2.3:a:linuxfoundation:opensearch:3.6.2:::::node.js:: cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.1:::::node.js:: cpe:2.3:a:matheuspergoli:draftauth\/client:0.2.2:::::node.js:: cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.1:::::node.js:: cpe:2.3:a:matheuspergoli:draftauth\/core:0.13.2:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.1:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/auth-router:0.5.2:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.1:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/auth:0.24.2:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.1:::::node.js:: cpe:2.3:a:matheuspergoli:draftlab\/db:0.16.2:::::node.js:: cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.3:::::node.js:: cpe:2.3:a:matheuspergoli:simple_type-safe_actions:0.8.4:::::node.js:: cpe:2.3:a:mesa:mesadev\/rest:0.28.3:::::node.js:: cpe:2.3:a:mesa:mesadev\/saguaro:0.4.22:::::node.js:: cpe:2.3:a:mesa:mesadev\/sdk:0.28.3:::::node.js:: cpe:2.3:a:mistral:mistralai:2.4.6:::::python:: cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.2:::::node.js:: cpe:2.3:a:mistral:mistralai\/mistralai-azure:1.7.3:::::node.js:: cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.2:::::node.js:: cpe:2.3:a:mistral:mistralai\/mistralai-gcp:1.7.3:::::node.js:: cpe:2.3:a:mistral:mistralai\/mistralai:2.2.3:::::node.js:: cpe:2.3:a:mistral:mistralai\/mistralai:2.2.4:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.3:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.4:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.5:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.6:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.7:::::node.js:: cpe:2.3:a:multiagentcognition:cmux-agent-mcp:0.1.8:::::node.js:: cpe:2.3:a:neilcochran:cross-stitch:1.1.3:::::node.js:: cpe:2.3:a:neilcochran:cross-stitch:1.1.4:::::node.js:: cpe:2.3:a:neilcochran:cross-stitch:1.1.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airports:0.6.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airports:0.6.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airports:0.6.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace-data:0.5.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace:0.8.1:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace:0.8.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airspace:0.8.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airway-data:0.5.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airways:0.4.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airways:0.4.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/airways:0.4.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fix-data:0.6.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fixes:0.3.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fixes:0.3.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/fixes:0.3.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flight-math:0.5.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/flightplan:0.5.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/geo:0.4.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/geo:0.4.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/geo:0.4.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry-data:0.8.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/icao-registry:0.5.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/mcp:0.9.1:::::node.js:: cpe:2.3:a:neilcochran:squawk\/mcp:0.9.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/mcp:0.9.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaid-data:0.6.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaids:0.4.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaids:0.4.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/navaids:0.4.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/notams:0.3.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/notams:0.3.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/notams:0.3.9:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedure-data:0.7.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedures:0.5.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedures:0.5.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/procedures:0.5.5:::::node.js:: cpe:2.3:a:neilcochran:squawk\/types:0.8.1:::::node.js:: cpe:2.3:a:neilcochran:squawk\/types:0.8.2:::::node.js:: cpe:2.3:a:neilcochran:squawk\/types:0.8.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/units:0.4.3:::::node.js:: cpe:2.3:a:neilcochran:squawk\/units:0.4.4:::::node.js:: cpe:2.3:a:neilcochran:squawk\/units:0.4.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/weather:0.5.6:::::node.js:: cpe:2.3:a:neilcochran:squawk\/weather:0.5.7:::::node.js:: cpe:2.3:a:neilcochran:squawk\/weather:0.5.9:::::node.js:: cpe:2.3:a:neilcochran:ts-dna:3.0.1:::::node.js:: cpe:2.3:a:neilcochran:ts-dna:3.0.2:::::node.js:: cpe:2.3:a:neilcochran:ts-dna:3.0.4:::::node.js:: cpe:2.3:a:neilcochran:wot-api:0.8.1:::::node.js:: cpe:2.3:a:neilcochran:wot-api:0.8.2:::::node.js:: cpe:2.3:a:neilcochran:wot-api:0.8.4:::::node.js:: cpe:2.3:a:uipath:uipath\/access-policy-sdk:0.3.1:::::node.js:: cpe:2.3:a:uipath:uipath\/access-policy-tool:0.3.1:::::node.js:: cpe:2.3:a:uipath:uipath\/admin-tool:0.1.1:::::node.js:: cpe:2.3:a:uipath:uipath\/agent-sdk:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/agent-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/agent.sdk:0.0.18:::::node.js:: cpe:2.3:a:uipath:uipath\/aops-policy-tool:0.3.1:::::node.js:: cpe:2.3:a:uipath:uipath\/ap-chat:1.5.7:::::node.js:: cpe:2.3:a:uipath:uipath\/api-workflow-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/apollo-core:5.9.2:::::node.js:: cpe:2.3:a:uipath:uipath\/apollo-react:4.24.5:::::node.js:: cpe:2.3:a:uipath:uipath\/apollo-wind:2.16.2:::::node.js:: cpe:2.3:a:uipath:uipath\/auth:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/case-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/cli:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/codedagent-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/codedagents-tool:0.1.12:::::node.js:: cpe:2.3:a:uipath:uipath\/codedapp-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/common:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/context-grounding-tool:0.1.1:::::node.js:: cpe:2.3:a:uipath:uipath\/data-fabric-tool:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/docsai-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/filesystem:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/flow-tool:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/functions-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/gov-tool:0.3.1:::::node.js:: cpe:2.3:a:uipath:uipath\/identity-tool:0.1.1:::::node.js:: cpe:2.3:a:uipath:uipath\/insights-sdk:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/insights-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/integrationservice-sdk:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/integrationservice-tool:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/llmgw-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/maestro-sdk:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/maestro-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/orchestrator-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-apiworkflow:0.0.19:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-bpmn:0.0.9:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-case:0.0.9:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-connector:0.0.19:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-flow:0.0.19:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-functions:0.1.1:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-webapp:1.0.6:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler-browser:0.0.34:::::node.js:: cpe:2.3:a:uipath:uipath\/packager-tool-workflowcompiler:0.0.16:::::node.js:: cpe:2.3:a:uipath:uipath\/platform-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/project-packager:1.1.16:::::node.js:: cpe:2.3:a:uipath:uipath\/resource-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/resourcecatalog-tool:0.1.1:::::node.js:: cpe:2.3:a:uipath:uipath\/resources-tool:0.1.11:::::node.js:: cpe:2.3:a:uipath:uipath\/robot:1.3.4:::::node.js:: cpe:2.3:a:uipath:uipath\/rpa-legacy-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/rpa-tool:0.9.5:::::node.js:: cpe:2.3:a:uipath:uipath\/solution-packager:0.0.35:::::node.js:: cpe:2.3:a:uipath:uipath\/solution-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/solutionpackager-sdk:1.0.11:::::node.js:: cpe:2.3:a:uipath:uipath\/solutionpackager-tool-core:0.0.34:::::node.js:: cpe:2.3:a:uipath:uipath\/tasks-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/telemetry:0.0.7:::::node.js:: cpe:2.3:a:uipath:uipath\/test-manager-tool:1.0.2:::::node.js:: cpe:2.3:a:uipath:uipath\/tool-workflowcompiler:0.0.12:::::node.js:: cpe:2.3:a:uipath:uipath\/traces-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/ui-widgets-multi-file-upload:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/uipath-python-bridge:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/vertical-solutions-tool:1.0.1:::::node.js:: cpe:2.3:a:uipath:uipath\/vss:0.1.6:::::node.js:: cpe:2.3:a:uipath:uipath\/widget.sdk:1.2.3:::::node.js::
Vendors & Products		Abhishake1 Abhishake1 supersurkhet\/cli Abhishake1 supersurkhet\/sdk Abhishake1 taskflow-corp\/cli Agentworkhq Agentworkhq agentwork-cli Antoinebcx Antoinebcx ml-toolkit-ts Antoinebcx ml-toolkit-ts\/preprocessing Antoinebcx ml-toolkit-ts\/xgboost Beproduct Beproduct beproduct\/nestjs-auth Christianalares Christianalares git-git-git Christianalares git Branch Selector Christianalares nextmove-mcp Christianalares tolka\/cli Dirigible Dirigible dirigible-ai\/sdk Guardrailsai Guardrailsai guardrails Ai Kilbot Kilbot tallyui\/components Kilbot tallyui\/connector-medusa Kilbot tallyui\/connector-shopify Kilbot tallyui\/connector-vendure Kilbot tallyui\/connector-woocommerce Kilbot tallyui\/core Kilbot tallyui\/database Kilbot tallyui\/pos Kilbot tallyui\/storage-sqlite Kilbot tallyui\/theme Linuxfoundation Linuxfoundation opensearch Matheuspergoli Matheuspergoli draftauth\/client Matheuspergoli draftauth\/core Matheuspergoli draftlab\/auth Matheuspergoli draftlab\/auth-router Matheuspergoli draftlab\/db Matheuspergoli simple Type-safe Actions Mesa Mesa mesadev\/rest Mesa mesadev\/saguaro Mesa mesadev\/sdk Mistral Mistral mistralai Mistral mistralai\/mistralai Mistral mistralai\/mistralai-azure Mistral mistralai\/mistralai-gcp Multiagentcognition Multiagentcognition cmux-agent-mcp Neilcochran Neilcochran cross-stitch Neilcochran squawk\/airports Neilcochran squawk\/airspace Neilcochran squawk\/airspace-data Neilcochran squawk\/airway-data Neilcochran squawk\/airways Neilcochran squawk\/fix-data Neilcochran squawk\/fixes Neilcochran squawk\/flight-math Neilcochran squawk\/flightplan Neilcochran squawk\/geo Neilcochran squawk\/icao-registry Neilcochran squawk\/icao-registry-data Neilcochran squawk\/mcp Neilcochran squawk\/navaid-data Neilcochran squawk\/navaids Neilcochran squawk\/notams Neilcochran squawk\/procedure-data Neilcochran squawk\/procedures Neilcochran squawk\/types Neilcochran squawk\/units Neilcochran squawk\/weather Neilcochran ts-dna Neilcochran wot-api Uipath Uipath uipath\/access-policy-sdk Uipath uipath\/access-policy-tool Uipath uipath\/admin-tool Uipath uipath\/agent-sdk Uipath uipath\/agent-tool Uipath uipath\/agent.sdk Uipath uipath\/aops-policy-tool Uipath uipath\/ap-chat Uipath uipath\/api-workflow-tool Uipath uipath\/apollo-core Uipath uipath\/apollo-react Uipath uipath\/apollo-wind Uipath uipath\/auth Uipath uipath\/case-tool Uipath uipath\/cli Uipath uipath\/codedagent-tool Uipath uipath\/codedagents-tool Uipath uipath\/codedapp-tool Uipath uipath\/common Uipath uipath\/context-grounding-tool Uipath uipath\/data-fabric-tool Uipath uipath\/docsai-tool Uipath uipath\/filesystem Uipath uipath\/flow-tool Uipath uipath\/functions-tool Uipath uipath\/gov-tool Uipath uipath\/identity-tool Uipath uipath\/insights-sdk Uipath uipath\/insights-tool Uipath uipath\/integrationservice-sdk Uipath uipath\/integrationservice-tool Uipath uipath\/llmgw-tool Uipath uipath\/maestro-sdk Uipath uipath\/maestro-tool Uipath uipath\/orchestrator-tool Uipath uipath\/packager-tool-apiworkflow Uipath uipath\/packager-tool-bpmn Uipath uipath\/packager-tool-case Uipath uipath\/packager-tool-connector Uipath uipath\/packager-tool-flow Uipath uipath\/packager-tool-functions Uipath uipath\/packager-tool-webapp Uipath uipath\/packager-tool-workflowcompiler Uipath uipath\/packager-tool-workflowcompiler-browser Uipath uipath\/platform-tool Uipath uipath\/project-packager Uipath uipath\/resource-tool Uipath uipath\/resourcecatalog-tool Uipath uipath\/resources-tool Uipath uipath\/robot Uipath uipath\/rpa-legacy-tool Uipath uipath\/rpa-tool Uipath uipath\/solution-packager Uipath uipath\/solution-tool Uipath uipath\/solutionpackager-sdk Uipath uipath\/solutionpackager-tool-core Uipath uipath\/tasks-tool Uipath uipath\/telemetry Uipath uipath\/test-manager-tool Uipath uipath\/tool-workflowcompiler Uipath uipath\/traces-tool Uipath uipath\/ui-widgets-multi-file-upload Uipath uipath\/uipath-python-bridge Uipath uipath\/vertical-solutions-tool Uipath uipath\/vss Uipath uipath\/widget.sdk

Wed, 27 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-45321
Metrics	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2026-05-27T00:00:00+00:00', 'dueDate': '2026-06-10T00:00:00+00:00'}`

Thu, 14 May 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter
CPEs		cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/arktype-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-router:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.4:::::node.js:: cpe:2.3:a:tanstack:tanstack\/eslint-plugin-start:0.0.7:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/history:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/nitro-v2-vite-plugin:1.154.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.51:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-client:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-rsc:0.0.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.55:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start-server:1.166.58:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/react-start:1.167.71:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-cli:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-core:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools-core:1.167.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.45:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-generator:1.166.48:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-plugin:1.167.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.3:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-ssr-query-core:1.168.6:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.11:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-utils:1.161.14:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/router-vite-plugin:1.166.56:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-client:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.54:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start-server:1.166.57:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.65:::::node.js:: cpe:2.3:a:tanstack:tanstack\/solid-start:1.167.68:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-client-core:1.168.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-fn-stubs:1.161.9:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.23:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-plugin-core:1.169.26:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.33:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-server-core:1.167.36:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.44:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-static-server-functions:1.166.47:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.38:::::node.js:: cpe:2.3:a:tanstack:tanstack\/start-storage-context:1.166.41:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/valibot-adapter:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.10:::::node.js:: cpe:2.3:a:tanstack:tanstack\/virtual-file-routes:1.161.13:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.16:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-devtools:1.166.19:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.15:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router-ssr-query:1.166.18:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.5:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-router:1.169.8:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.46:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-client:1.166.49:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.50:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start-server:1.166.53:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.61:::::node.js:: cpe:2.3:a:tanstack:tanstack\/vue-start:1.167.64:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.12:::::node.js:: cpe:2.3:a:tanstack:tanstack\/zod-adapter:1.166.15:::::node.js::
Vendors & Products		Tanstack tanstack\/arktype-adapter Tanstack tanstack\/eslint-plugin-router Tanstack tanstack\/eslint-plugin-start Tanstack tanstack\/history Tanstack tanstack\/nitro-v2-vite-plugin Tanstack tanstack\/react-router Tanstack tanstack\/react-router-devtools Tanstack tanstack\/react-router-ssr-query Tanstack tanstack\/react-start Tanstack tanstack\/react-start-client Tanstack tanstack\/react-start-rsc Tanstack tanstack\/react-start-server Tanstack tanstack\/router-cli Tanstack tanstack\/router-core Tanstack tanstack\/router-devtools Tanstack tanstack\/router-devtools-core Tanstack tanstack\/router-generator Tanstack tanstack\/router-plugin Tanstack tanstack\/router-ssr-query-core Tanstack tanstack\/router-utils Tanstack tanstack\/router-vite-plugin Tanstack tanstack\/solid-router Tanstack tanstack\/solid-router-devtools Tanstack tanstack\/solid-router-ssr-query Tanstack tanstack\/solid-start Tanstack tanstack\/solid-start-client Tanstack tanstack\/solid-start-server Tanstack tanstack\/start-client-core Tanstack tanstack\/start-fn-stubs Tanstack tanstack\/start-plugin-core Tanstack tanstack\/start-server-core Tanstack tanstack\/start-static-server-functions Tanstack tanstack\/start-storage-context Tanstack tanstack\/valibot-adapter Tanstack tanstack\/virtual-file-routes Tanstack tanstack\/vue-router Tanstack tanstack\/vue-router-devtools Tanstack tanstack\/vue-router-ssr-query Tanstack tanstack\/vue-start Tanstack tanstack\/vue-start-client Tanstack tanstack\/vue-start-server Tanstack tanstack\/zod-adapter

Tue, 12 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
References		https://tanstack.com/blog/npm-supply-chain-compromise-postmortem https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem

Tue, 12 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 12 May 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter
Vendors & Products		Tanstack Tanstack arktype-adapter Tanstack eslint-plugin-router Tanstack eslint-plugin-start Tanstack history Tanstack nitro-v2-vite-plugin Tanstack outer-vite-plugin Tanstack react-router Tanstack react-router-devtools Tanstack react-router-ssr-query Tanstack react-start Tanstack react-start-client Tanstack react-start-rsc Tanstack react-start-server Tanstack router-cli Tanstack router-core Tanstack router-devtools Tanstack router-devtools-core Tanstack router-generator Tanstack router-plugin Tanstack router-ssr-query-core Tanstack router-utils Tanstack solid-router Tanstack solid-router-devtools Tanstack solid-router-ssr-query Tanstack solid-start Tanstack solid-start-client Tanstack solid-start-server Tanstack start-client-core Tanstack start-fn-stubs Tanstack start-plugin-core Tanstack start-server-core Tanstack start-static-server-functions Tanstack start-storage-context Tanstack valibot-adapter Tanstack virtual-file-routes Tanstack vue-router Tanstack vue-router-devtools Tanstack vue-router-ssr-query Tanstack vue-start Tanstack vue-start-client Tanstack vue-start-server Tanstack zod-adapter

Tue, 12 May 2026 01:15:00 +0000

Type	Values Removed	Values Added
Description		On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Title		Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
Weaknesses		CWE-506
References		https://github.com/TanStack/router/issues/7383 https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Abhishake1 Supersurkhet\/cli Supersurkhet\/sdk Taskflow-corp\/cli

Agentworkhq Agentwork-cli

Antoinebcx Ml-toolkit-ts Ml-toolkit-ts\/preprocessing Ml-toolkit-ts\/xgboost

Beproduct Beproduct\/nestjs-auth

Christianalares Git-git-git Git Branch Selector Nextmove-mcp Tolka\/cli

Dirigible Dirigible-ai\/sdk

Guardrailsai Guardrails Ai

Kilbot Tallyui\/components Tallyui\/connector-medusa Tallyui\/connector-shopify Tallyui\/connector-vendure Tallyui\/connector-woocommerce Tallyui\/core Tallyui\/database Tallyui\/pos Tallyui\/storage-sqlite Tallyui\/theme

Linuxfoundation Opensearch

Matheuspergoli Draftauth\/client Draftauth\/core Draftlab\/auth Draftlab\/auth-router Draftlab\/db Simple Type-safe Actions

Mesa Mesadev\/rest Mesadev\/saguaro Mesadev\/sdk

Mistral Mistralai Mistralai\/mistralai Mistralai\/mistralai-azure Mistralai\/mistralai-gcp

Multiagentcognition Cmux-agent-mcp

Neilcochran Cross-stitch Squawk\/airports Squawk\/airspace Squawk\/airspace-data Squawk\/airway-data Squawk\/airways Squawk\/fix-data Squawk\/fixes Squawk\/flight-math Squawk\/flightplan Squawk\/geo Squawk\/icao-registry Squawk\/icao-registry-data Squawk\/mcp Squawk\/navaid-data Squawk\/navaids Squawk\/notams Squawk\/procedure-data Squawk\/procedures Squawk\/types Squawk\/units Squawk\/weather Ts-dna Wot-api

Tanstack Arktype-adapter Eslint-plugin-router Eslint-plugin-start History Nitro-v2-vite-plugin Outer-vite-plugin React-router React-router-devtools React-router-ssr-query React-start React-start-client React-start-rsc React-start-server Router-cli Router-core Router-devtools Router-devtools-core Router-generator Router-plugin Router-ssr-query-core Router-utils Solid-router Solid-router-devtools Solid-router-ssr-query Solid-start Solid-start-client Solid-start-server Start-client-core Start-fn-stubs Start-plugin-core Start-server-core Start-static-server-functions Start-storage-context Tanstack\/arktype-adapter Tanstack\/eslint-plugin-router Tanstack\/eslint-plugin-start Tanstack\/history Tanstack\/nitro-v2-vite-plugin Tanstack\/react-router Tanstack\/react-router-devtools Tanstack\/react-router-ssr-query Tanstack\/react-start Tanstack\/react-start-client Tanstack\/react-start-rsc Tanstack\/react-start-server Tanstack\/router-cli Tanstack\/router-core Tanstack\/router-devtools Tanstack\/router-devtools-core Tanstack\/router-generator Tanstack\/router-plugin Tanstack\/router-ssr-query-core Tanstack\/router-utils Tanstack\/router-vite-plugin Tanstack\/solid-router Tanstack\/solid-router-devtools Tanstack\/solid-router-ssr-query Tanstack\/solid-start Tanstack\/solid-start-client Tanstack\/solid-start-server Tanstack\/start-client-core Tanstack\/start-fn-stubs Tanstack\/start-plugin-core Tanstack\/start-server-core Tanstack\/start-static-server-functions Tanstack\/start-storage-context Tanstack\/valibot-adapter Tanstack\/virtual-file-routes Tanstack\/vue-router Tanstack\/vue-router-devtools Tanstack\/vue-router-ssr-query Tanstack\/vue-start Tanstack\/vue-start-client Tanstack\/vue-start-server Tanstack\/zod-adapter Valibot-adapter Virtual-file-routes Vue-router Vue-router-devtools Vue-router-ssr-query Vue-start Vue-start-client Vue-start-server Zod-adapter

Uipath Uipath\/access-policy-sdk Uipath\/access-policy-tool Uipath\/admin-tool Uipath\/agent-sdk Uipath\/agent-tool Uipath\/agent.sdk Uipath\/aops-policy-tool Uipath\/ap-chat Uipath\/api-workflow-tool Uipath\/apollo-core Uipath\/apollo-react Uipath\/apollo-wind Uipath\/auth Uipath\/case-tool Uipath\/cli Uipath\/codedagent-tool Uipath\/codedagents-tool Uipath\/codedapp-tool Uipath\/common Uipath\/context-grounding-tool Uipath\/data-fabric-tool Uipath\/docsai-tool Uipath\/filesystem Uipath\/flow-tool Uipath\/functions-tool Uipath\/gov-tool Uipath\/identity-tool Uipath\/insights-sdk Uipath\/insights-tool Uipath\/integrationservice-sdk Uipath\/integrationservice-tool Uipath\/llmgw-tool Uipath\/maestro-sdk Uipath\/maestro-tool Uipath\/orchestrator-tool Uipath\/packager-tool-apiworkflow Uipath\/packager-tool-bpmn Uipath\/packager-tool-case Uipath\/packager-tool-connector Uipath\/packager-tool-flow Uipath\/packager-tool-functions Uipath\/packager-tool-webapp Uipath\/packager-tool-workflowcompiler Uipath\/packager-tool-workflowcompiler-browser Uipath\/platform-tool Uipath\/project-packager Uipath\/resource-tool Uipath\/resourcecatalog-tool Uipath\/resources-tool Uipath\/robot Uipath\/rpa-legacy-tool Uipath\/rpa-tool Uipath\/solution-packager Uipath\/solution-tool Uipath\/solutionpackager-sdk Uipath\/solutionpackager-tool-core Uipath\/tasks-tool Uipath\/telemetry Uipath\/test-manager-tool Uipath\/tool-workflowcompiler Uipath\/traces-tool Uipath\/ui-widgets-multi-file-upload Uipath\/uipath-python-bridge Uipath\/vertical-solutions-tool Uipath\/vss Uipath\/widget.sdk

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T00:12:35.452Z

Updated: 2026-05-28T03:55:26.991Z

Reserved: 2026-05-11T20:50:30.539Z

Link: CVE-2026-45321

Vulnrichment

Updated: 2026-05-12T13:21:29.648Z

NVD

Status : Analyzed

Published: 2026-05-12T01:16:46.820

Modified: 2026-06-17T10:51:54.877

Link: CVE-2026-45321

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T08:15:17Z

Weaknesses

CWE-506

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation active

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object