Back to shanesveller's feed
🦀RustTanStack Blog

Postmortem: TanStack NPM supply-chain compromise (opens in new tab)

Covered by 31 sources See all sources covering this story including blef.fr, DEV CommunityDiscussed on Hacker News, Hacker News, Lobsters, r/netsec, r/programming, and DEV

On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.

Read the original article
Sign in to keep reading the full article.
Sign UpLog In

Covered in 37 articles

blef.fr·

We got attacked via GitHub PRs

Discussed on Hacker News
Feeds
DEV Community·

The New Shape of Supply-Chain Trust

Discussed on DEV
Feeds
DEV Community·

Supply Chain Attacks Aren't Just a Big Library Problem — Here's What You Can Do Today

Discussed on DEV
Feeds
View all 37 ›

Keyboard Shortcuts

Navigation

Next / previous post
j/k
Open post
oorEnter
Preview post
v

Post Actions

Love post
a
Like post
l
Dislike post
d
Undo reaction
u
Save / unsave
s

Recommendations

Add interest / feed
Enter
Not interested
x

Go to

Home
gh
Interests
gi
Feeds
gf
Likes
gl
History
gy
Changelog
gc
Settings
gs
Discover
gb
Search
/

General

Show this help
?
Submit feedback
!
Close modal / unfocus
Esc

Press ? anytime to show this help