TechFeed
  • playlist_add_check Channels

Postmortem: TanStack npm supply-chain compromise
BRANK

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.

tanstack.com 14 days ago
Related Topics: Node.js JavaScriptRuntime
arrow_back
open_in_new Open page
https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
  • Blog
  • Frequently Asked Questions
  • Feedback
  • Terms of service
  • Privacy Policy
  • Posting guidelines
  • Special thanks
  • About Company
© 2026 Hajimari Inc.