NPM

TanStack suffered an npm supply-chain compromise on May 11, 2026, where attackers published 84 malicious versions across 42 packages using GitHub Actions cache poisoning and OIDC token extraction without stealing npm tokens directly.

Several latest versions of TanStack's npm packages were found to contain malware, likely due to stolen developer credentials; users are advised to audit dependencies and revoke tokens immediately.

Attackers used a fake PR to inject malicious code, pollute pnpm cache, and auto-publish 84 compromised npm versions within minutes, affecting 42 packages.

OpenCLI is an open-source project on GitHub that structures web pages and chat records through the command line, completing operations without model inference.

A single PR attacked the NPM registry, compromising over 100 packages with more than 5 million weekly downloads.

The TrapDoor supply chain attack uses AI assistant configuration files as an attack vector, stealing developer credentials via malicious packages and PR injection.

This article introduces how to use the Three.js library without using npm, suitable for developers who have basic knowledge of HTML and JavaScript but are not familiar with npm.

TanStack disclosed a sophisticated npm supply chain attack that compromised 42 packages, with attackers injecting malicious code by hijacking maintainer accounts and exploiting npm publishing process vulnerabilities—a major security incident targeting the JavaScript ecosystem in 2026.

Viking recommends using the package version cooling mechanism provided by pnpm, npm, or bun to defend against npm supply chain attacks, ensuring that newly released packages must cool down for a certain period before being installed, thus avoiding attack windows.

This article is merely a aggregation of Hacker News top stories with no deep analysis, technical insights, or original commentary; it repackages news and social media posts with low information density and no engineering value.