OPEN LINK ↗
// 1h agoSECURITY INCIDENT
TanStack npm packages hit supply-chain breach
On May 11, 2026, TanStack disclosed that 84 malicious versions across 42 `@tanstack/*` npm packages were published in a supply-chain compromise tied to GitHub Actions cache poisoning and install-time credential theft. The team deprecated the affected versions, involved npm security, and urged anyone who installed them to rotate exposed credentials.
// ANALYSIS
This is a reminder that modern package security is not just about maintainer tokens; CI trust boundaries, cache reuse, and install-time scripts can turn one poisoned workflow into a registry-scale incident.
- –The attack chained a `pull_request_target` workflow, cache poisoning, and OIDC token abuse, which is exactly the kind of cross-system failure that slips past normal "we use trusted publishing" assumptions
- –Because the malware ran during `npm install`-style lifecycle hooks, any developer machine or CI job that pulled an affected version should be treated as potentially compromised
- –TanStack moving quickly to deprecate releases and purge caches was the right containment move, but the incident will likely push more teams to pin Actions by SHA and isolate untrusted CI paths
- –The blast radius matters beyond TanStack users: packages like Router, Query, Table, and Form are widely embedded in web stacks, including many AI product front ends
// TAGS
securityci-cdautomationopen-sourcedevtooltanstack
DISCOVERED
1h ago
2026-05-12
PUBLISHED
4h ago
2026-05-11
RELEVANCE
7/ 10
AUTHOR
varunsharma07