A supply chain attack hit TanStack packages on May 11th, with 84 malicious versions published across 42 @tanstack/* packages. The attack chained three vulnerabilities: a malicious PR exploited GitHub Actions' pull_request_target to poison a shared pnpm cache, which then extracted an OIDC token from runner memory to publish to npm. The payload harvested credentials (AWS, GCP, Kubernetes, GitHub tokens), self-propagated as a worm to other packages the victim maintains, and installed a dead man's switch that runs rm -rf ~/ if the stolen token is revoked. Affected users should carefully rotate credentials and avoid revoking tokens without reading the full warning first. Mitigations include setting a minimum release age in your package manager and upgrading to pnpm 11. The newsletter also covers Tailwind CSS v4.3, Waku 1.0 beta, Expo 56 beta, and a JavaScript prototype chain quiz.
Sort: