TP-EXP-2026-0310 CVE-2026-45321 critical Active Exploitation AI Draft

TanStack Unspecified Vulnerability (CVE-2026-45321)

CVE CVE-2026-45321 Platform TanStack packages on npm registry Type Supply Chain Compromise

Severity CRITICAL

Status Active Exploitation

Zero-Day Confirmed

Disclosed May 27, 2026

Patched January 1, 1970

Researcher Unknown CISA KEV Listed

Severity Assessment

Exploitability: 9/10
Impact: 9/10
Weaponization Risk: 8/10
Patch Urgency: 9/10
Detection Coverage: 6/10

CISA added CVE-2026-45321 to KEV on 2026-05-27 with required action due by 2026-06-10. KEV inclusion and the advisory details indicate active exploitation with high credential-theft risk in software supply-chain contexts.

Summary

CVE-2026-45321 is tracked as a TanStack vulnerability tied to malicious package publication events in the npm ecosystem. CISA KEV describes malicious versions published under trusted identities, with credential-stealing outcomes.

GitHub’s linked TanStack advisory (GHSA-g7cv-rxg3-hmpx) reports malicious versions published across multiple @tanstack/* packages and provides package/version-level remediation guidance.

Exploit Chain

Stage 1: Trusted Package Namespace Abuse

Malicious package versions were published under @tanstack/* names, creating a trusted-distribution path for downstream consumers.

Stage 2: Malicious Code Distribution

Affected versions were distributed through npm package retrieval and dependency resolution paths.

Stage 3: Credential Theft Activity

Published malware behavior included credential-theft objectives, as documented by CISA KEV and the GHSA disclosure context.

Detection Guidance

Monitor dependency and lockfile changes for unexpected @tanstack/* versions during the affected publication window.
Alert on build or runtime access attempts to cloud credentials, GitHub tokens, and SSH key material originating from package install/runtime processes.
Compare installed package tarballs and checksums against known clean versions published after vendor remediation actions.

Indicators of Compromise

Presence of identified malicious package versions in dependency manifests or lockfiles for @tanstack/* packages listed in GHSA-g7cv-rxg3-hmpx.
Evidence of suspicious token or credential access immediately after npm install/build steps involving affected package versions.
Unplanned package deprecation/unpublish notices matching the advisory timeframe and affected package list.

Disclosure Timeline

2026-05-11 — Malicious package publication window reported

GHSA disclosure reports a short publication window for malicious @tanstack/* versions.

2026-05-27 — CISA KEV inclusion

CISA added CVE-2026-45321 to KEV and set a remediation due date of 2026-06-10.

2026-05-27 — Public advisory availability

Public advisory references for CVE-2026-45321 and GHSA guidance were available to support remediation actions.

Sources & References

Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities Catalog — Cybersecurity and Infrastructure Security Agency, 2026-05-27
Cybersecurity and Infrastructure Security Agency: Known Exploited Vulnerabilities JSON Feed — Cybersecurity and Infrastructure Security Agency, 2026-05-27
GitHub: GHSA-g7cv-rxg3-hmpx Security Advisory — GitHub, 2026-05-27