devtake.dev — StepSecurityArticles on devtake.dev covering StepSecurity.https://devtake.dev/en-usTanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/https://devtake.dev/article/tanstack-npm-supply-chain-postmortem/Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.Tue, 12 May 2026 10:15:00 GMTsecuritysecuritysupply-chainnpmtanstackgithub-actionscredential-theftdev-toolsluca-reinhardtAnother npm worm: CanisterWorm hits 16 Namastex packages and reaches PyPI on the same hophttps://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/https://devtake.dev/article/canisterworm-namastex-npm-pypi-supply-chain/Socket flagged a self-propagating worm in @automagik/genie, pgserve, and 14 sibling Namastex Labs packages. It steals 40 credential categories and republishes itself.Tue, 28 Apr 2026 16:30:00 GMTsecuritynpmsupply-chaincanisterwormsecuritynamastexteampcppypicredential-theftluca-reinhardt