Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

[KEV] CVE-2026-45321 -- CVSS 0.0 Vulnerability Briefing

[KEV] CVE-2026-45321 | CVSS 0.0 (Low) | Exploit: Operational

What Is It

CVE-2026-45321 is a supply chain compromise affecting TanStack packages on the npm registry, in which an unspecified weakness allowed adversaries to publish malicious, credential-stealing package versions under the legitimate TanStack identity.

Technical Detail

The vulnerability enabled unauthorized or malicious versions of TanStack packages to be pushed to the npm registry while appearing to originate from a trusted publisher, likely through a compromised publishing account, token, or CI/CD pipeline credential. Developers who installed or updated affected TanStack packages during the window of compromise would have received malware capable of stealing credentials from their environments. The precise mechanism of the registry authorization bypass or account compromise has not been publicly disclosed, and the full scope of affected package versions remains unspecified.

Exploitation Status

CISA has confirmed active exploitation in the wild, with this CVE added to the Known Exploited Vulnerabilities catalog on May 27, 2026. The exploit maturity is rated Operational, meaning adversaries have demonstrated reliable, repeatable exploitation capability in real-world attacks. This is not a proof-of-concept scenario; malicious packages have been actively distributed through the npm ecosystem under a trusted identity.

Who Is Targeting This

Confirmed (ATTAX-verified): FIN7 (origin unspecified, motivation unknown), BRONZE BUTLER (China, nation-state motivation), APT38 (DPRK, nation-state motivation), APT41 (China, nation-state motivation), and APT-C-36 (origin unspecified, motivation unknown). The breadth of confirmed actor attribution, spanning financially motivated cybercrime groups and multiple nation-state programs, indicates this vulnerability has been exploited across distinct threat campaigns with differing objectives. No additional reported or research-inferred actors are listed beyond those confirmed.

What To Do

CISA's KEV listing requires federal agencies to remediate this vulnerability immediately; given the May 27, 2026 addition date, patch or mitigation deadlines under BOD 22-01 apply as of now. Organizations should audit all TanStack package versions currently in use and cross-reference installed versions against any published list of compromised releases from the TanStack project maintainers. Any npm lockfiles, package-lock.json or yarn.lock files, should be reviewed for unexpected version changes or integrity hash mismatches. Rotate all credentials, tokens, and secrets present in environments where affected TanStack packages were installed or executed, as credential theft is the confirmed payload behavior. Implement npm package integrity verification using tools such as npm audit and Sigstore-based provenance attestation where available. Restrict npm publish permissions using granular token scoping and enforce multi-factor authentication on all registry publishing accounts as a preventive control going forward.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →