Critical Known exploited (KEV) Ransomware use CVE-2026-45321

Malicious versions of TanStack npm packages (CVE-2026-45321) — credential-stealing malware shipped under a trusted name

TanStack TanStack ・Added to KEV May 27, 2026 ・Federal remediation due 2026-06-10

Malicious versions of the widely used TanStack (a family of React libraries) were published to the npm registry, distributing credential-stealing malware under a trusted publisher identity. CISA listed it as known-exploited (KEV) with confirmed ransomware use (CVSS 9.6 Critical).

Key facts

CVE IDCVE-2026-45321
CVSS base score9.6 CRITICAL
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected (vendor / product)TanStack TanStack
ExploitationListed in CISA KEV (exploitation confirmed); also confirmed used in ransomware
Remediation due2026-06-10 (U.S. federal civilian agencies, BOD 22-01)

Key points

Malicious versions of TanStack (popular React libraries) were published to npm
A trusted publisher (maintainer identity) was abused to distribute credential-stealing malware
Listed in CISA KEV = exploitation confirmed; ransomware use also confirmed (CVSS 9.6 Critical)
Response: update to a safe version and inspect dependencies (direct and transitive) and lockfiles
Like the contemporaneous Nx Console case, a supply-chain attack on the development ecosystem

CVE-2026-45321 covers a case where malicious versions were published to the npm registry for TanStack (the TanStack Query/Router/Table libraries widely used in the React ecosystem). It was added to CISA's KEV catalog on May 27, 2026, with ransomware use also confirmed.

The key point is that the malware was distributed by abusing a "trusted identity." To users it looks like a new version of a legitimate package they already use, so an `npm install` or version bump can pull in credential-stealing malware unnoticed. What gets stolen are developer tokens and keys, which then become the starting point for further compromise under a legitimate guise.

It entered KEV around the same time as Nx Console (CVE-2026-48027); both are supply-chain attacks targeting the development ecosystem (npm / IDE extensions) and are emblematic of recent attack trends.

Key response: if you use TanStack-related packages, check the affected packages and versions in the vendor's GitHub Security Advisory (GHSA-g7cv-rxg3-hmpx) and update to a safe version. Inspect lockfiles and resolved dependencies (both direct and transitive), and on machines or CI that installed/updated during the suspicious window, revoke and reissue the tokens and keys used. The federal civilian remediation deadline was June 10, 2026.

Why it matters

Because these libraries are widely depended on across React web development, the blast radius is broad. The priorities are inspecting transitive as well as direct dependencies and rotating credentials on CI and developer machines.

FAQ

What is TanStack?

A family of popular open-source libraries used mainly with React, including TanStack Query (formerly React Query), TanStack Router, and TanStack Table.

How does the compromise happen?

By pulling in a malicious version that looks like a legitimate package via npm, which executes credential-stealing malware.

What should I do?

Check the scope in the GitHub Security Advisory (GHSA-g7cv-rxg3-hmpx) and update to a safe version. On environments that pulled it in during the suspicious window, reissue tokens and keys.

Sources (primary)

This article is an independent organization based on the U.S. official data below. Always verify the exact, latest details and applicability with the official and vendor sources.

CISA KEV Catalog (known exploited list)
NVD (CVE details / CVSS)
This product uses data from the NVD API but is not endorsed or certified by the NVD. KEV data is CC0 (public domain).

#Supply chain#npm#React#Credential theft#Ransomware

← Back to vulnerability alerts