Cache Poisoning Through pull_request_target: The TanStack Incident
A GitHub user opened a PR against TanStack Router from a fork, poisoned the shared pnpm cache through a pull_request_target workflow, then force-pushed the branch clean. When the release pipeline…
Read the full articleYou might also wanna read
Postmortem: TanStack npm supply-chain compromise via GitHub Actions exploitation
On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork↔base trust boundary, an

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistra
TanStack NPM Packages Compromised
Article URL: Comments URL: Points: 38 # Comments: 3
ChatGPT Update: What to Know About the TanStack npm Supply Chain Attack
After the TanStack npm supply chain attack, ChatGPT is forcing MacOS users to update. Learn more about related security risks and next steps
Post-mortem Analysis of @ctrl/tinycolor npm Supply Chain Attack via GitHub Actions
Lessons learned from becoming the unexpected face of a npm supply-chain attack.
Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts
Just in the last 7 days, we've seen LiteLLM and axios impacted by supply chain attacks. Recently, I was chatting with Bereket Engida, the cr

Comments
Sign in to join the conversation.
No comments yet. Be the first.