CVE-2026-45321: TanStack Unspecified Vulnerability
Summary
TanStack has an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry. These malicious versions were used to publish credential-stealing malware under a trusted identity. CISA is requiring mitigation actions by June 10, 2026.
IFF Assessment
The vulnerability in TanStack allowed for the publication of credential-stealing malware, posing a direct threat to user credentials and data.
Severity
The vulnerability allows for the publication of malicious packages to the npm registry, which can then be downloaded and executed by users, leading to credential theft. This suggests a high attack vector and significant impact.
CISA KEV: Listed as actively exploited. Federal patch due: June 10, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability highlights the risk of supply chain attacks within the software development ecosystem. Defenders should be aware of the potential for trusted identities and repositories to be compromised, leading to the distribution of malicious code. Vigilance in monitoring software dependencies and implementing robust security measures for package management is crucial.