Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: lomiri.lomiri-history-service

Found 1 matching suggestions

View:
Compact
Detailed
Dismissed
Permalink CVE-2026-45321
9.6 CRITICAL
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): High (H)
  • Integrity (I): High (H)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): High (H)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): High (H)
updated 1 week, 6 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 6 days ago
  • @LeSuisse dismissed 1 week, 6 days ago
Malware in 42 @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.

Affected products

history
  • ==1.161.12
  • ==1.161.9
vue-start
  • ==1.167.64
  • ==1.167.61
router-cli
  • ==1.166.46
  • ==1.166.49
vue-router
  • ==1.169.8
  • ==1.169.5
react-start
  • ==1.167.68
  • ==1.167.71
router-core
  • ==1.169.8
  • ==1.169.5
solid-start
  • ==1.167.68
  • ==1.167.65
zod-adapter
  • ==1.166.15
  • ==1.166.12
react-router
  • ==1.169.8
  • ==1.169.5
router-utils
  • ==1.161.14
  • ==1.161.11
solid-router
  • ==1.169.8
  • ==1.169.5
router-plugin
  • ==1.167.38
  • ==1.167.41
start-fn-stubs
  • ==1.161.12
  • ==1.161.9
arktype-adapter
  • ==1.166.15
  • ==1.166.12
react-start-rsc
  • ==0.0.47
  • ==0.0.50
router-devtools
  • ==1.166.16
  • ==1.166.19
valibot-adapter
  • ==1.166.15
  • ==1.166.12
router-generator
  • ==1.166.45
  • ==1.166.48
vue-start-client
  • ==1.166.46
  • ==1.166.49
vue-start-server
  • ==1.166.53
  • ==1.166.50
outer-vite-plugin
  • ==1.166.53
  • ==1.166.56
start-client-core
  • ==1.168.5
  • ==1.168.8
start-plugin-core
  • ==1.169.26
  • ==1.169.23
start-server-core
  • ==1.167.33
  • ==1.167.36
react-start-client
  • ==1.166.54
  • ==1.166.51
react-start-server
  • ==1.166.55
  • ==1.166.58
solid-start-client
  • ==1.166.53
  • ==1.166.50
solid-start-server
  • ==1.166.54
  • ==1.166.57
eslint-plugin-start
  • ==0.0.7
  • ==0.0.4
virtual-file-routes
  • ==1.161.10
  • ==1.161.13
vue-router-devtools
  • ==1.166.16
  • ==1.166.19
eslint-plugin-router
  • ==1.161.12
  • ==1.161.9
nitro-v2-vite-plugin
  • ==1.154.15
  • ==1.154.12
router-devtools-core
  • ==1.167.9
  • ==1.167.6
vue-router-ssr-query
  • ==1.166.15
  • ==1.166.18
react-router-devtools
  • ==1.166.16
  • ==1.166.19
router-ssr-query-core
  • ==1.168.6
  • ==1.168.3
solid-router-devtools
  • ==1.166.16
  • ==1.166.19
start-storage-context
  • ==1.166.38
  • ==1.166.41
react-router-ssr-query
  • ==1.166.15
  • ==1.166.18
solid-router-ssr-query
  • ==1.166.15
  • ==1.166.18
start-static-server-functions
  • ==1.166.47
  • ==1.166.44

Matching in nixpkgs

pkgs.star-history

Command line program to generate a graph showing number of GitHub stars of a user, org or repo over time

pkgs.lomiri.history-service

Service that provides call log and conversation history

  • nixos-unstable 0.6
    • nixpkgs-unstable 0.6
    • nixos-unstable-small 0.6
  • nixos-25.11 0.6
    • nixos-25.11-small 0.6
    • nixpkgs-25.11-darwin 0.6

pkgs.gnomeExtensions.clipboard-history

Gnome Clipboard History is a clipboard manager GNOME extension that saves items you've copied into an easily accessible, searchable history panel.

  • nixos-unstable 47
    • nixpkgs-unstable 47
    • nixos-unstable-small 47
  • nixos-25.11 47
    • nixos-25.11-small 47
    • nixpkgs-25.11-darwin 47

pkgs.gnomeExtensions.maximize-to-workspace-with-history

Like MacOS, puts windows in a new workspace when maximized or full-screened and brings you back to original workspace when unmaximized or unfull-screened or the window gets closed. Recommended to use with multi finger gestures configured for your trackpad.

  • nixos-unstable 2
    • nixpkgs-unstable 2
    • nixos-unstable-small 2

Package maintainers

Not directly packaged.