COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-45321

CVE-2026-45321

Severity
critical · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-05-27
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-45321
⌖ exploited in the wild shame 85/100 ransomwareexploited-in-wildsupply-chaindata-breach

TanStack published credential-stealing malware under a trusted npm identity due to an unspecified vulnerability.

TanStack allowed malicious versions of its product to be published to the npm registry under a trusted identity, enabling credential-stealing malware distribution. This supply-chain compromise poses severe risks to DIB organizations relying on npm packages for authentication and data integrity.

Shame score — Publishing credential-stealing malware under a trusted identity is a severe supply-chain failure that undermines trust in the npm ecosystem.

Players implicated

TanStack · vendorTanStack · product

Description

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.