Cyber Posture

CVE-2026-45321

Critical

Published: 12 May 2026

Published
12 May 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0004 12.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-45321 is a critical-severity Embedded Malicious Code (CWE-506) vulnerability. Its CVSS base score is 9.6 (Critical).

Operationally, ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-10 Software Usage Restrictions
addresses: CWE-506

Restricting software to licensed versions and controlling P2P prevents introduction of software containing embedded malicious code from unauthorized sources.

CM-11 User-installed Software
addresses: CWE-506

The control prevents users from installing software that contains embedded malicious code.

CM-8 System Component Inventory
addresses: CWE-506

Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.

CP-10 System Recovery and Reconstitution
addresses: CWE-506

Reverting to a known state removes any malicious code embedded by an attacker.

MA-3 Maintenance Tools
addresses: CWE-506

The approval and review process for maintenance tools can prevent introduction or continued use of tools containing embedded malicious code.

PM-30 Supply Chain Risk Management Strategy
addresses: CWE-506

Supply chain strategy requires vetting and controls during acquisition to prevent or detect insertion of malicious code by vendors or integrators.

PS-2 Position Risk Designation
addresses: CWE-506

Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish.

RA-10 Threat Hunting
addresses: CWE-506

The capability explicitly searches for embedded malicious code and backdoors as indicators of compromise.

NVD Description

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself…

more

was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-506

References