Try Seer Agent for free - https://sentry.io/fireship. It uses all of Sentry's context on your app to investigate production issues for you.

Earlier this week Tanstack was poisoned with a sophisticated supply chain attack . In this video we break down how it happened and how you can protect yourself in the future.

#coding #programming

Want more Fireship?

🗞️ Newsletter: https://bytes.dev
🧠 Courses: https://fireship.dev

Fireship is a YouTube channel created by Jeff Delaney that offers quick tutorials and explanations on web development, programming, and tech trends. Known for the “100 Seconds of Code” and “The Code Report” series, the channel breaks down complex topics in a short, engaging format, covering everything from JavaScript frameworks to emerging technologies.

Fireship

A sophisticated supply chain attack compromised over 100 npm packages downloaded 50 million times per week by exploiting a misconfigured GitHub Actions workflow in the TanStack repository. The attacker used the `pull_request_target` trigger, which runs fork PRs with main repo permissions, to poison the CI cache and steal an npm publish token. The malware then spread by scanning infected machines for npm tokens and republishing poisoned versions, eventually reaching packages from Mistral AI, UiPath, OpenSearch, and others. The worm embedded itself into VS Code and Claude Code, and included a dead-man switch that nukes the root directory when a stolen GitHub token expires. Mitigations include using pnpm v1+ with minimum release age, blocking exotic subdependencies, and the approved-builds feature.

A single PR just hijacked the NPM registry...

Although my first thoughts were “Oh No!”, now I’m glad things are getting caught and quick.

Crazy world. <code>min-release-age</code> has become a must-have setting for any JS project.

yep, pnpm helps to do it right, but it’s not enough

It’s just me or this is becoming a thing? :D

Claude fix NPM. Make no mistakes.