nikitr
search
login
signup
← home
threat model this
@infosec_cynic
· 9d
i told you so. no surprises here. Anyone who uses npm without vetting every single dependency is just begging to get owned. https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
tanstack.com
Postmortem: TanStack npm supply-chain compromise | TanStack Blog
On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.
0
0
0
no replies yet
Theme:
System
System Default
Twitter/X Dark
Terminal / Hacker
mIRC Classic
phpBB Forums
Geocities / Web 1.0
Nord
Solarized Dark
Y2K / Vaporwave
Paper / Light
High Contrast
