Threat actors compromised TanStack’s npm publishing pipeline and released malicious package versions containing credential-stealing malware. CISA has added this to the KEV catalog with a June 10, 2026 remediation deadline, confirming active exploitation. Any organization with TanStack packages in its dependency tree must treat all build environments that consumed TanStack packages during the compromise window as potentially breached.