{
  "title": "TanStack CI/CD Release Pipeline Poisoning",
  "summary": "On May 11, 2026, the popular open-source project TanStack fell victim to a CI/CD release pipeline poisoning attack. Threat actors hijacked the release pipeline via a pull request exploitation vector and OIDC token theft to publish 84 backdoored versions across 42 packages.",
  "date": "2026-05-11",
  "severity": "critical",
  "tags": [
    "npm",
    "supply-chain",
    "compromise",
    "github-actions",
    "oidc",
    "teampcp"
  ],
  "sources_count": 4,
  "indicators": {
    "slug": "tanstack-pipeline-poisoning",
    "since": "2026-05-11T19:20:00Z",
    "until": "2026-05-11T23:59:59Z",
    "ecosystem": "npm npmjs.com",
    "cves": [],
    "cwes": [],
    "advisoryIds": [],
    "products": [],
    "packages": [
      "@tanstack/zod-adapter",
      "@tanstack/router",
      "@tanstack/react-router",
      "@tanstack/react-query",
      "@tanstack/table-core"
    ],
    "versions": [
      "1.166.12",
      "1.166.15",
      "@tanstack/zod-adapter@1.166.12",
      "@tanstack/zod-adapter@1.166.15"
    ],
    "affectedVersions": [],
    "fixedVersions": [
      "1.166.16",
      "1.166.17"
    ],
    "files": [
      "router_init.js",
      "tanstack_runner.js"
    ],
    "paths": [],
    "services": [],
    "domains": [
      "git-tanstack.com"
    ],
    "urls": [
      "https://git-tanstack.com",
      "https://tanstack.com",
      "https://snyk.io"
    ],
    "ips": [],
    "hashes": [
      "ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c"
    ],
    "processPatterns": [],
    "networkPatterns": [],
    "telemetrySelectors": []
  }
}