Zach Leatherman“Socket detected 84 compromised TanStack npm package artifacts modified with suspected CI credential-stealing malware.” — @SocketSecurity
https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
And here is an absolute masterclass in writing a post-mortem from the team: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
Postmortem: TanStack npm supply-chain compromise | TanStack Blog
On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @tanstack/* packages on npm. Full postmortem.
Jerome (He/Him)@zachleat I'm not sure I would agree. This entire article reads like they dumped all their logs to Claude Code and asked it to generate a post mortem.
@jeromechoo I’m not sure I need to be included in this feedback
@zachleat I’m not trying to be rude. I’m genuinely trying to figure out what makes this a masterclass retro.
It does include a lot of details, but doesn’t mention the dead man’s switch that was posted 3 hours ago https://github.com/TanStack/router/issues/7383#issuecomment-4425225340 and has exactly one general line on what owners of compromised machines should do.
Did I miss something?