CVE-2026-45321: Critical Supply Chain Compromise in @tanstack Packages via GitHub Actions Misconfiguration Vulnerability ID: CVE-2026-45321 CVSS Score: 9.6 Published: 2026-05-12 On May 11, 2026, threat actors executed a multi-stage supply chain attack against the @tanstack ecosystem. By exploiting a pull_request_target misconfiguration in GitHub Actions, attackers poisoned build caches and extracted OIDC tokens from memory. This allowed the unauthorized publication of 84 malicious package versions containing credential-stealing malware. TL;DR A misconfigured GitHub Actions workflow allowed attackers to extract OIDC tokens from runner memory, resulting in the unauthorized publishing of 84 credential-stealing @tanstack npm packages.…