devtake.dev
AI Security Open Source Hardware Policy Apple

#tanstack

RSS
Related: #credential-theft · 1 #dev-tools · 1 #github-actions · 1 #npm · 1 #security · 1 #supply-chain · 1
TanStack website header with logo
Security·

TanStack published its npm supply-chain postmortem. The attack chained three GitHub Actions flaws.

Attackers compromised 42 TanStack packages through a pull_request_target exploit, cache poisoning, and OIDC token theft. An external researcher caught it in 20 minutes.