TanStack npm Supply Chain Attack: 84 Packages Hijacked in Six Minutes
Key Takeaways
- 84 malicious npm packages published across 42 TanStack repositories on May 11, 2026 - OIDC token stolen through a `pull_request_target` workflow flaw that most teams still haven't patched - 518 million downloads accumulated before containment - Code-signing certificates exfiltrated by 19:26 UTC,