Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
vi
HomeCategoriesArcadeBookmarks
Coding4Food LogoCoding4Food
HomeCategoriesArcadeBookmarks
Privacy|Terms

© 2026 Coding4Food. Written by devs, for devs.

All news
TechnologyIT Drama

TanStack's NPM Nightmare: A Supply-Chain Attack and What We Can Learn From It

May 12, 20263 min read

TanStack just got hit by an NPM supply-chain attack. Here's a raw breakdown of what went down, the community fallout, and how to protect your code.

Share this post:
TanStack's NPM Nightmare: A Supply-Chain Attack and What We Can Learn From It
Nguồn gốc: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/tanstack-npm-supply-chain-attack-dramaNguồn gốc: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama
Nguồn gốc: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/tanstack-npm-supply-chain-attack-dramaNguồn gốc: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Nội dung thuộc bản quyền Coding4Food. Original source: https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama. Content is property of Coding4Food. This content was scraped without permission from https://coding4food.com/post/tanstack-npm-supply-chain-attack-drama
tanstacknpmsupply chain attackmã độcbảo mật
Share this post:

Bình luận

Related posts

hacker, hacking, theft, cyber, malware, computer, security, credit card, virus, internet, screen, trojan, evil, program, thief, comic, cartoon character, programming, it, evil hackers, hacker, hacker, hacker, hacker, hacker, hacking, malware, thief
IT DramaTechnology

Axios Compromised on NPM: When Your Favorite HTTP Client Drops a Trojan

The ultimate NPM nightmare: Malicious Axios versions caught dropping remote access trojans. Here's what happened and how to avoid getting pwned.

Apr 13 min read
Read more →
coding, computer, hacker, hacking, html, programmer, programming, script, scripting, source code, coding, coding, coding, coding, computer, computer, hacker, hacker, hacker, hacker, hacker, hacking, hacking, programming, programming
TechnologyIT Drama

GitHub Breached: 3,800 Repos Nuked by a Sketchy VSCode Extension

GitHub confirms 3,800 repos were compromised via a malicious VSCode extension. Time to audit your editor before your source code gets leaked.

May 212 min read
Read more →
scam, cybersecurity, phishing, fraud, hacker, crime, attack, cut out, scam, scam, scam, scam, scam
IT DramaTechnology

The LinkedIn Job Offer Trap: How a Fake Recruiter Almost Backdoored a Dev

Unemployed and looking for a job? Beware of fake recruiters sending coding challenges loaded with backdoors to steal your crypto and SSH keys.

Jun 163 min read
Read more →
handcuff, black silver, caught, metal, stole, chain, handcuff, handcuff, handcuff, handcuff, handcuff, caught
IT DramaTechnology

Texas Woman Arrested Over a Facebook Post: A Harsh Lesson in OpSec

A Texas woman gets handcuffed for complaining about dirty tap water on Facebook. What techies and whistleblowers need to learn about online privacy.

May 243 min read
Read more →
security, cyber, threat, hacker, internet, protection, secure, information, safety, business, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurity, cybersecurity
TechnologyIT Drama

TanStack & Mistral AI Hit Hard: 170+ npm Packages Hijacked in Wild Supply Chain Attack

A massive npm supply chain attack hit 170+ packages (including TanStack & Mistral AI) with 400+ malicious versions, without compromising maintainer accounts.

May 133 min read
Read more →
scam, phishing, fraud, email, attack, mail, online, system, cybercrime, information, access, credit, money, hack, hacker, laptop, malware, password, protection, software, steal, orange money, orange laptop, orange online, orange email, orange information, orange software, scam, scam, scam, scam, scam, phishing, phishing, phishing, phishing, fraud, fraud, email, cybercrime, malware
TechnologyIT Drama

Big Yikes: Microsoft Edge Caught Storing Passwords in Plaintext in Memory

Microsoft Edge was just caught storing user passwords in plaintext in RAM. Is it a massive security flaw or just another Tuesday? Let's dive into the drama.

May 53 min read
Read more →

Just another beautiful day to write some bugs, right? Wrong. Woke up, grabbed my morning coffee, and saw the entire frontend ecosystem collectively sweating bullets because TanStack—the absolute chads behind React Query and Router—just got hit with a nasty supply-chain attack.

TL;DR: How did the NPM gods fail us this time?

So, here’s the scoop for the lazy readers. Some dark wizard out there managed to snatch an NPM publish token belonging to the TanStack maintainers. With the keys to the castle, they pushed malicious versions of packages (mostly affecting @tanstack/router) to the public registry.

If you happened to run npm install during that cursed window, you might have invited a nasty little script into your machine. We're talking about malware specifically designed to sniff out your local .env files, steal session tokens, and drain crypto wallets.

Fortunately, Tanner and his crew didn't sleep on this. They caught the breach blazing fast, nuked the compromised releases from orbit, revoked all tokens, and dropped a massive, transparent Postmortem detailing exactly how they messed up and how they fixed it.

The HN/Reddit Hivemind Speaks

Scrolling through Hacker News, the community reaction basically falls into three camps:

  • The Doomers: "NPM is a house of cards," one dev commented. A lot of folks are complaining that running npm install in 2024 feels like playing Russian Roulette. You never know when your laptop is going to join a botnet.
  • The Fanboys: A massive chunk of the community actually praised the TanStack team. "They got hacked, sure. But their response time was insane, and the Postmortem was brutally honest without PR bullshit." Respect earned.
  • The Security Nerds: The infosec crowd, however, was throwing some shade: "Why aren't top-tier projects enforcing strict 2FA on all automation tokens? Where was NPM Provenance?"

The Coding4Food Verdict: Survive the NPM Jungle

Look, supply chain attacks are the new meta. Here’s what you need to take away from this mess so you don't lose your job:

  1. Protect your secrets: If you're deploying your weekend project to a cloud vps, guard your .env variables with your life. If a rogue script grabs them, attackers will spin up crypto miners on your dime.
  2. Pin your damn dependencies: Use your package-lock.json or yarn.lock. Stop running npm update blindly hoping everything works. Pin exact versions, or you'll eventually download malware.
  3. For the Maintainers: Turn on 2FA for publishing. Set up NPM Provenance. It's 2024, guys. Let's not make it this easy for the script kiddies.

Stay safe out there, folks. Trust no package.

Source: Hacker News - Postmortem: TanStack NPM supply-chain compromise Original Link: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem