TanStack just got hit by an NPM supply-chain attack. Here's a raw breakdown of what went down, the community fallout, and how to protect your code.
Just another beautiful day to write some bugs, right? Wrong. Woke up, grabbed my morning coffee, and saw the entire frontend ecosystem collectively sweating bullets because TanStack—the absolute chads behind React Query and Router—just got hit with a nasty supply-chain attack.
So, here’s the scoop for the lazy readers. Some dark wizard out there managed to snatch an NPM publish token belonging to the TanStack maintainers. With the keys to the castle, they pushed malicious versions of packages (mostly affecting @tanstack/router) to the public registry.
If you happened to run npm install during that cursed window, you might have invited a nasty little script into your machine. We're talking about malware specifically designed to sniff out your local .env files, steal session tokens, and drain crypto wallets.
Fortunately, Tanner and his crew didn't sleep on this. They caught the breach blazing fast, nuked the compromised releases from orbit, revoked all tokens, and dropped a massive, transparent Postmortem detailing exactly how they messed up and how they fixed it.
Scrolling through Hacker News, the community reaction basically falls into three camps:
npm install in 2024 feels like playing Russian Roulette. You never know when your laptop is going to join a botnet.Look, supply chain attacks are the new meta. Here’s what you need to take away from this mess so you don't lose your job:
.env variables with your life. If a rogue script grabs them, attackers will spin up crypto miners on your dime.package-lock.json or yarn.lock. Stop running npm update blindly hoping everything works. Pin exact versions, or you'll eventually download malware.Stay safe out there, folks. Trust no package.
Source: Hacker News - Postmortem: TanStack NPM supply-chain compromise Original Link: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem