You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Transitory mitigation in flight. As of 2026-05-12, the patched versions named in the GHSA advisory (@tanstack/react-router@1.169.9, @tanstack/react-router-devtools@1.166.20, @tanstack/router-cli@1.166.50, @tanstack/router-plugin@1.167.42) have not been published to npm. npm view returns 404 for those tags; the registry currently tops out below the malicious window (e.g. @tanstack/react-router latest is 1.169.2). The malicious tarballs were pulled server-side, but no patched build is yet live.
The in-flight PR pins direct deps to the current latest non-malicious versions (1.169.2 / 1.166.13 / 1.166.43 / 1.167.35) using exact specifiers to neutralise the ^-drift exposure. This issue must remain open until the GHSA-listed patched versions appear on npm; a follow-up PR should then move the pins to those versions and (optionally) restore ^ ranges.
Description
The TanStack team disclosed a supply-chain attack on 2026-05-11 where 84 malicious versions across 42 @tanstack/* packages were published to npm (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx). Malicious tarballs execute router_init.js (~2.3 MB) at install time, which harvests cloud credentials (AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens), ~/.npmrc, GitHub tokens, and SSH keys, then exfiltrates them over the Session messenger network. It also installs a persistence agent (~/.local/bin/gh-token-monitor.sh / systemd user service / macOS LaunchAgent) that runs rm -rf ~ if the stolen GitHub token is revoked.
dAppBooster ships these affected packages in package.json:
Package
Current spec
Locked version
Vulnerable
Patched
@tanstack/react-router
^1.168.10
1.168.10
1.169.5, 1.169.8
1.169.9
@tanstack/react-router-devtools (dev)
^1.166.11
1.166.11
1.166.16, 1.166.19
1.166.20
@tanstack/router-cli (dev)
^1.166.25
1.166.25
1.166.46, 1.166.49
1.166.50
@tanstack/router-plugin (dev)
^1.167.12
1.167.12
1.167.38, 1.167.41
1.167.42
Transitive (pulled by the above; check after bumps):
Package
Locked version
Vulnerable
Patched
@tanstack/router-core
1.168.9
1.169.5, 1.169.8
1.169.9
@tanstack/history
1.161.6
1.161.9, 1.161.12
1.161.13
@tanstack/router-generator
1.166.24
1.166.45, 1.166.48
1.166.49
@tanstack/router-utils
1.161.6
1.161.11, 1.161.14
1.161.15
@tanstack/virtual-file-routes
1.161.7
1.161.10, 1.161.13
1.161.14
@tanstack/router-devtools-core
1.167.1
1.167.6, 1.167.9
1.167.10
@tanstack/react-query, @tanstack/react-query-devtools, and @tanstack/react-virtual are confirmed unaffected by the postmortem.
Today's lockfile pins versions BELOW the malicious window so the installed tree is clean, but the ^ ranges in package.json would resolve into the malicious window on any fresh resolution (deleted lockfile, pnpm update, Renovate/Dependabot). The malicious versions are deprecated on npm, but tarballs may still be installable in some mirrors and caches.
Steps to reproduce
Delete pnpm-lock.yaml and node_modules.
Run pnpm install.
Inspect resolved versions of @tanstack/router-plugin, @tanstack/react-router, @tanstack/router-cli, @tanstack/react-router-devtools and their transitive deps.
Before the npm registry deprecation propagated, the caret ranges would have resolved to malicious versions in the affected ranges above.
Expected vs actual behavior
Expected: All @tanstack/* resolutions land on patched versions (>= 1.169.9 for the react-router family, etc.) and the project documents the audit so future fresh installs cannot regress.
Actual:package.json carets cover the malicious window. The lockfile is clean today only because it predates the attack.
Warning
Transitory mitigation in flight. As of 2026-05-12, the patched versions named in the GHSA advisory (
@tanstack/react-router@1.169.9,@tanstack/react-router-devtools@1.166.20,@tanstack/router-cli@1.166.50,@tanstack/router-plugin@1.167.42) have not been published to npm.npm viewreturns 404 for those tags; the registry currently tops out below the malicious window (e.g.@tanstack/react-routerlatest is1.169.2). The malicious tarballs were pulled server-side, but no patched build is yet live.The in-flight PR pins direct deps to the current latest non-malicious versions (
1.169.2/1.166.13/1.166.43/1.167.35) using exact specifiers to neutralise the^-drift exposure. This issue must remain open until the GHSA-listed patched versions appear on npm; a follow-up PR should then move the pins to those versions and (optionally) restore^ranges.Description
The TanStack team disclosed a supply-chain attack on 2026-05-11 where 84 malicious versions across 42
@tanstack/*packages were published to npm (CVE-2026-45321 / GHSA-g7cv-rxg3-hmpx). Malicious tarballs executerouter_init.js(~2.3 MB) at install time, which harvests cloud credentials (AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens),~/.npmrc, GitHub tokens, and SSH keys, then exfiltrates them over the Session messenger network. It also installs a persistence agent (~/.local/bin/gh-token-monitor.sh/ systemd user service / macOS LaunchAgent) that runsrm -rf ~if the stolen GitHub token is revoked.dAppBoosterships these affected packages inpackage.json:@tanstack/react-router^1.168.101.168.101.169.5,1.169.81.169.9@tanstack/react-router-devtools(dev)^1.166.111.166.111.166.16,1.166.191.166.20@tanstack/router-cli(dev)^1.166.251.166.251.166.46,1.166.491.166.50@tanstack/router-plugin(dev)^1.167.121.167.121.167.38,1.167.411.167.42Transitive (pulled by the above; check after bumps):
@tanstack/router-core1.168.91.169.5,1.169.81.169.9@tanstack/history1.161.61.161.9,1.161.121.161.13@tanstack/router-generator1.166.241.166.45,1.166.481.166.49@tanstack/router-utils1.161.61.161.11,1.161.141.161.15@tanstack/virtual-file-routes1.161.71.161.10,1.161.131.161.14@tanstack/router-devtools-core1.167.11.167.6,1.167.91.167.10@tanstack/react-query,@tanstack/react-query-devtools, and@tanstack/react-virtualare confirmed unaffected by the postmortem.Today's lockfile pins versions BELOW the malicious window so the installed tree is clean, but the
^ranges inpackage.jsonwould resolve into the malicious window on any fresh resolution (deleted lockfile,pnpm update, Renovate/Dependabot). The malicious versions are deprecated on npm, but tarballs may still be installable in some mirrors and caches.Steps to reproduce
pnpm-lock.yamlandnode_modules.pnpm install.@tanstack/router-plugin,@tanstack/react-router,@tanstack/router-cli,@tanstack/react-router-devtoolsand their transitive deps.Expected vs actual behavior
Expected: All
@tanstack/*resolutions land on patched versions (>=1.169.9for thereact-routerfamily, etc.) and the project documents the audit so future fresh installs cannot regress.Actual:
package.jsoncarets cover the malicious window. The lockfile is clean today only because it predates the attack.Reproduction link
TanStack/router#7383
Environment
Additional context
Acceptance criteria
package.jsonto the patched releases (or higher):@tanstack/react-router->^1.169.9@tanstack/react-router-devtools->^1.166.20@tanstack/router-cli->^1.166.50@tanstack/router-plugin->^1.167.42pnpm-lock.yamland confirm no transitive@tanstack/*version falls in a vulnerable range.pnpm wagmi-generate,pnpm routes:generate,pnpm lint,pnpm test, andpnpm buildto confirm the bump is non-breaking.Interim mitigation (until patched versions are on npm)
@tanstack/react-router,@tanstack/react-router-devtools,@tanstack/router-cli,@tanstack/router-pluginto exact current-latest non-malicious versions to prevent^-drift.References