84 malicious @tanstack/* packages, published in 6 minutes with valid SLSA provenance. No tokens stolen, a fork PR poisoned the GitHub Actions cache, then the release workflow's OIDC token was dumped from runner memory and used to publish.
OIDC didn't fail. Its trust model has no notion of which workflow step can publish.

https://open.substack.com/pub/doriandiaconu/p/a-pull-request-published-84-malicious

#npm #SupplyChain #DevOps #Security

‘No Way To Prevent This,’ Says Only Package Manager Where This Regularly Happens
https://kevinpatel.xyz/posts/no-way-to-prevent-this/

#npm #JavaScript #code #Programming #tech

🚀 Deploy Self-Hosted #OpenClaw on #VPS (3 Minute Quick-Start Guide 🤖)

This article provides a quick, yet thorough step-by-step guide to deploy self-hosted OpenClaw on VPS servers. A lot of users have been deploying directly to Mac Minis, but we'd like to present another, radically different clawd deployment strategy. In this guide, we will deploy OpenClaw on Linux VPS-specifically, #Debian VPS.
What is ...
Continued 👉 https://blog.radwebhosting.com/deploy-self-hosted-openclaw-on-vps/?utm_source=mastodon&utm_medium=social&utm_campaign=mastodon.raddemo.host #npm #selfhosting #clawdbot #selfhosted

Node-ipc Package Infected with Credential-Stealing Malware

A malicious update to the widely-used node-ipc library has infected thousands of projects with credential-stealing malware, posing a significant supply-chain risk for developer environments and CI systems. With over 690,000 weekly downloads, this single compromised library could be exfiltrating sensitive data from countless unsuspecting users.

https://osintsights.com/node-ipc-package-infected-with-credential-stealing-malware?utm_source=mastodon&utm_medium=social

#SupplyChain #CredentialStealing #Malware #Nodeipc #Npm

The average #npm package includes in their innermost trust boundry:

- an undisclosed four-digit number of devs nobody has ever heard of
- npm itself
- github et al. in all their slop-fondling glory

Especially:

- all of their personal and organizational opsec
- all of their ability to write and configure CI/CD securely

If a single of those components fail, all of it goes down the shitter again.

But I'm sure, user-prompt-gating post-install scripts will fix all of this. As it did with Office.

https://winbuzzer.com/2026/05/15/openai-confirms-security-breach-in-tanstack-supply-xcxwbn/

OpenAI confirmed that a poisoned open-source package breached employee devices and let attackers steal credentials from a limited set of its internal source code repositories.

#AI #OpenAI #Cybersecurity #Malware #DataBreaches #TanStack #MiniShaiHulud #npm

TanStack npm-Hack: Wie Angreifer die eigene CI-Pipeline zur Waffe machten

https://www.all-about-security.de/tanstack-npm-hack-wie-angreifer-die-eigene-ci-pipeline-zur-waffe-machten/

#npm

OpenAI Disrupted in TanStack npm Supply Chain Breach

Malicious packages have rocked the TanStack npm supply chain, with 84 tainted versions of 42 @tanstack/* packages published, drawing OpenAI into the crisis and prompting urgent action to secure its systems. The AI company has confirmed that attackers compromised two employee devices, stealing credentials and forcing a reset across multiple desktop products.

https://osintsights.com/openai-disrupted-in-tanstack-npm-supply-chain-breach?utm_source=mastodon&utm_medium=social

#SupplyChain #Npm #Openai #Tanstack #CredentialExfiltration