Tanstack NPM Supply Chain Attack
2 videos · score: 9,594 · first seen Jun 9, 2026
A sophisticated npm supply chain attack on the Tanstack open-source project, where a malicious actor exploited GitHub Actions to compromise 169+ packages with over 50 million weekly downloads, has drawn attention as Fireship highlights the attack's technical depth and Matthew Berman links it to a broader rise in AI-assisted cyber threats.
A single PR just hijacked the NPM registry...
A supply chain attack compromised over 100 npm packages by exploiting a vulnerability in Tanstack's GitHub Actions workflow, allowing an attacker to publish malicious code through a forked pull request. The malware then spread to other packages and even jumped to Python's PyPI registry, highlighting serious flaws in the release process and CI/CD security.
Everyone's getting hacked
Google's Threat Intelligence Group detected the first AI-discovered zero-day exploit in the wild, alongside the spread of the Shy Halud npm worm using a dead man switch, signaling a new era of AI-powered cyber threats.