TanStack NPM Supply-Chain Compromise

• TanStack’s NPM package was compromised due to a supply-chain attack.
• The attack was caused by a malicious commit to a fork of the repository.
• The compromise highlights the importance of secure publishing practices.

The Buzz Score

The Internet’s Verdict: 70% Hyped, 30% Skeptical

Forum Voices

Experts are warning about the dangers of postinstall scripts and the importance of secure publishing practices.

Please be careful when revoking tokens. It looks like the payload installs a dead-man’s switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/.

Others are criticizing GitHub’s role in the compromise.

Postinstall scripts are deadly. Everyone should be using pnpm. Crazy that an ‘orphan’ commit pushed to a FORK(!) could trigger this (in npm clients). IMO GitHub deserves much of the blame here. A malicious fork’s commits are reachable via GitHub’s shared object storage at a URI indistinguishable from the legit repo. That is absolutely bonkers.

Conclusion

The TanStack NPM supply-chain compromise highlights the importance of secure publishing practices and the need for caution when using postinstall scripts.

Focus Keyword: NPM Compromise