Exposures › CVE-2026-45321
TanStack published credential-stealing malware under a trusted npm identity due to an unspecified vulnerability.
TanStack allowed malicious versions of its product to be published to the npm registry under a trusted identity, enabling credential-stealing malware distribution. This supply-chain compromise poses severe risks to DIB organizations relying on npm packages for authentication and data integrity.
Shame score — Publishing credential-stealing malware under a trusted identity is a severe supply-chain failure that undermines trust in the npm ecosystem.
TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.
No correlated FedRAMP products.