Skip to main content

Kubernetes CVE-2026-45321

| EUVDEUVD-2026-29352 CRITICAL
Embedded Malicious Code (CWE-506)
2026-05-12 https://github.com/TanStack/router GHSA-g7cv-rxg3-hmpx
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
SUSE
CRITICAL
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Added to CISA KEV
May 27, 2026 - 19:46 CISA
Source Code Evidence Fetched
May 12, 2026 - 00:31 vuln.today
Analysis Generated
May 12, 2026 - 00:31 vuln.today
CVE Published
May 12, 2026 - 00:12 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

Summary

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes - a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process - to publish credential-stealing malware under a trusted identity.

Each affected package received exactly two malicious versions, published a few minutes apart.

Impact

A user installing any affected version executes a payload (~2.3 MB obfuscated router_init.js) at install time that:

  • Harvests credentials from common locations:
  • AWS instance metadata (IMDS) and Secrets Manager
  • GCP metadata service
  • Kubernetes service-account tokens
  • HashiCorp Vault tokens
  • ~/.npmrc (npm tokens)
  • GitHub tokens (env vars, gh CLI config, .git-credentials)
  • SSH private keys (~/.ssh/)
  • Exfiltrates harvested data over the Session/Oxen messenger file-upload network (filev2.getsession.org, seed{1,2,3}.getsession.org). This is end-to-end encrypted with no attacker-controlled C2, so blocking by IP or domain is the only network mitigation.
  • Enumerates packages that the victim maintains via registry.npmjs.org/-/v1/search?text=maintainer:<user> and republishes them with the same injection, propagating the compromise across npm.

Any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised. All credentials accessible to the install process should be rotated immediately. Cloud audit logs should be reviewed for activity originating from the affected hosts during and after the install window.

Detection

Inspect the published manifest of any pinned @tanstack/* version. Malicious manifests contain this exact optionalDependencies entry:

json
"optionalDependencies": {
  "@tanstack/setup": "github:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c"
}

To check a version without running install scripts:

bash
npm pack @tanstack/<name>@<version>
# downloads tarball; does NOT execute lifecycle scripts
tar -xzf *.tgz
grep -A3 optionalDependencies package/package.json
ls -la package/router_init.js
# malicious payload, ~2.3 MB, present at package root

The payload file router_init.js is approximately 2.3 MB of obfuscated JavaScript. It is placed at the tarball root and is intentionally not declared in the package's "files" array, so it does not appear in the package's documented contents.

Mechanism

@tanstack/setup is not a real package on the npm registry. The github:tanstack/router#79ac49ee... specifier resolves to an orphan commit pushed to a fork in the tanstack/router GitHub fork network. GitHub serves commits across the entire fork network for git-URL dependencies, so the attacker did not require write access to TanStack/router itself - only the ability to fork and push to their own fork.

When npm processes the optional dependency, it:

  1. Fetches the orphan commit from the fork network.
  2. Installs the commit's declared dependencies (which include a real bun binary).
  3. Runs the commit's prepare lifecycle script: bun run tanstack_runner.js && exit 1. The trailing exit 1 causes the optional install to fail, after which npm silently discards it - leaving no node_modules trace.
  4. The tanstack_runner.js script in turn executes router_init.js from the host package's tarball.

Patches

Affected versions are being deprecated on npm with a SECURITY: notice. Where npm policy allows (no existing third-party dependents), affected versions are also being unpublished. The npm security team has been engaged to pull tarballs server-side for versions that cannot be unpublished.

Clean follow-up releases are being prepared. Update to the patched version listed in the affected-products table for each package, then reinstall from a clean lockfile.

Workarounds

Until clean follow-up releases are available:

  • Pin every @tanstack/* dependency to a known-good version published before 2026-05-11 19:00 UTC. The last known-good version for most affected packages was published on 2026-03-15.
  • Delete node_modules and the lockfile, then reinstall to ensure no transitive dependency resolves to a malicious version.
  • Configure npm to skip lifecycle scripts on install (npm config set ignore-scripts true) as a temporary defense-in-depth measure.
  • For CI, audit any pipeline that ran install against @tanstack/* between 19:20 and 19:30 UTC on 2026-05-11. Treat the runner as compromised and rotate any secrets it had access to.

Indicators of compromise

IndicatorValue
Malicious git refgithub:tanstack/router#79ac49eedf774dd4b0cfa308722bc463cfe5885c
Fictitious package name@tanstack/setup
Payload filenamerouter_init.js (~2.3 MB, package root, undeclared in files)
Helper filename in orphan committanstack_runner.js
Exfiltration networkfilev2.getsession.org, seed1.getsession.org, seed2.getsession.org, seed3.getsession.org
Second-stage payload URLshttps://litter.catbox.moe/h8nc9u.js, https://litter.catbox.moe/7rrc6l.mjs
Poisoned cache keyLinux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11
Publish window (UTC)2026-05-11 19:20 - 19:26
Publish mechanismGitHub Actions OIDC trusted publisher (oidc:db7d6f54-05d5-412b-8a10-e7a8398b303e)
Workflow runshttps://github.com/TanStack/router/actions/runs/25613093674 (attempt 4), https://github.com/TanStack/router/actions/runs/25691781302
Attacker GitHub accountszblgg (id 127806521), voicproducoes (id 269549300)
Attacker fork (renamed to evade detection)https://github.com/zblgg/configuration

Credits

  • The security researcher who initially disclosed the vulnerability publicly with detailed analysis at https://github.com/TanStack/router/issues/7383

References

  • Public incident tracking issue: https://github.com/TanStack/router/issues/7383
  • Related research:
  • Adnan Khan, "The Monsters in Your Build Cache: GitHub Actions Cache Poisoning" (May 2024)
  • GitHub Security Lab, "Keeping your GitHub Actions and workflows secure: Preventing Pwn Requests"
  • StepSecurity, "tj-actions/changed-files action is compromised" (March 2025) - the malicious payload reuses this incident's runner-memory extraction technique verbatim

AnalysisAI

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R).

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2020-8554 MEDIUM POC
6.3 Jan 21

Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter

CVE-2025-55190 CRITICAL POC
9.9 Sep 04

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne

CVE-2018-18843 CRITICAL POC
10.0 Dec 04

The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4

CVE-2026-22039 CRITICAL POC
9.9 Jan 27

Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass

CVE-2024-42480 CRITICAL POC
9.9 Aug 12

Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem

CVE-2023-28110 CRITICAL POC
9.9 Mar 16

Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref

CVE-2026-25996 CRITICAL POC
9.8 Feb 12

String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter

CVE-2023-48312 CRITICAL POC
9.8 Nov 24

capsule-proxy is a reverse proxy for the capsule operator project. Rated critical severity (CVSS 9.8), this vulnerabilit

Vendor StatusVendor

SUSE

Severity: Critical

Share

CVE-2026-45321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy