TanStack 最近有什么新动态？

traeai 已收录 13 篇与 TanStack 相关的内容。最新一篇是「Postmortem: TanStack npm supply-chain compromise」，由 Hacker News Best 发布。

公司

TanStack

别名：tan_stack

开源库和框架提供商，专注于 React 生态系统的高性能解决方案。

已跟踪 13 条高相关材料

TraeAI 观察

如果只读 3 篇

Postmortem: TanStack npm supply-chain compromise

Hacker News Best · 9.5 分

TanStack suffered an npm supply-chain compromise on May 11, 2026, where attackers published 84 malicious versions across 42 packages using...

TanStack NPM Packages Compromised

Hacker News Best · 9.5 分

TanStack 多个 npm 包的最新版本被植入恶意代码，攻击者通过窃取的开发者凭证发布污染包，建议立即排查依赖并撤销旧 token。

npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌

AI HOT 精选 · 9.2 分

npm 生态遭大规模供应链攻击，TanStack、Mistral AI、UiPath 等超 160 个包受影响，攻击者通过 GitHub Actions 漏洞利用 OIDC 令牌实现合法发布，植入可窃取云密钥与 GitHub 令牌的恶意代码，已导致近 373 个恶意版本传播。

Postmortem: TanStack npm supply-chain compromise

Hacker News Best5月12日2746 字 (约 11 分钟)

TanStack suffered an npm supply-chain compromise on May 11, 2026, where attackers published 84 malicious versions across 42 packages using GitHub Actions cache poisoning and OIDC token extraction without stealing npm tokens directly.

入选理由：Attackers exploited pull_request_target and GitHub Actions cache poisoning to publish 84 malicious versions in 6 minutes.

FeaturedArticle#Security#Supply Chain#npm#GitHub Actions#TanStack英文

TanStack NPM Packages Compromised

Hacker News Best5月12日2056 字 (约 9 分钟)

Several latest versions of TanStack's npm packages were found to contain malware, likely due to stolen developer credentials; users are advised to audit dependencies and revoke tokens immediately.

入选理由：受感染的包包括 @tanstack/react-router 和其他子项目，发布时间集中在 2026 年 5 月 11 日。

FeaturedArticle#npm#security vulnerability#TanStack#supply chain attack#frontend英文

npm 生态遭大范围投毒：TanStack、Mistral AI、UiPath 等受波及，可窃取云密钥与 GitHub 令牌

npm Ecosystem Hit by Large-Scale Poisoning: TanStack, Mistral AI, UiPath Affected, Can Steal Cloud Keys and GitHub Tokens

AI HOT 精选5月12日3997 字 (约 16 分钟)

A large-scale supply chain attack hit the npm ecosystem, affecting over 160 packages including TanStack, Mistral AI, and UiPath; attackers used GitHub Actions vulnerabilities and OIDC tokens to publish malicious code under trusted identities.

入选理由：攻击者利用 GitHub Actions 的 pull_request_target 漏洞与跨 fork 缓存投毒，绕过双重验证完成恶意发布。

FeaturedArticle#npm#supply chain attack#GitHub Actions#security vulnerability#open source ecosystem中文

TanStack 又被攻击了
https://t.co/aoilMQON1y
感觉现在这安全事件就没停过，Next 前几天也经常被搞。

攻击者发布了 84 malicious versions，
具...

TanStack Is Attacked Again

Viking(@vikingmute)5月12日501 字 (约 3 分钟)

Attackers used a fake PR to inject malicious code, pollute pnpm cache, and auto-publish 84 compromised npm versions within minutes, affecting 42 packages.

入选理由：攻击者利用伪造的 zblgg 用户提交 PR 7378，成功绕过审查

FeaturedTweet#npm#supply-chain attack#GitHub Actions#TanStack#security中文

A single PR just hijacked the NPM registry...

Fireship5月15日1632 字 (约 7 分钟)

A single PR attacked the NPM registry, compromising over 100 packages with more than 5 million weekly downloads.

入选理由：100+包被污染，每周下载量超500万

FeaturedVideo#NPM#Security#Supply Chain Attack英文

2026 05 13 HackerNews

SuperTechFans5月13日13728 字 (约 55 分钟)

HackerNews 2026年5月13日的热门话题涵盖了供应链攻击、开源信任危机、AI对编程语言的影响、软件架构实践、欧盟未成年人保护法规、医疗研究进展及技术展示等内容，提供了多维度的技术洞察。

入选理由：TanStack遭遇供应链攻击，建议全面更换凭证并加固工作流。

FeaturedArticle#供应链安全#开源#AI#软件架构#法规#医疗中文

We recently made Lovable apps server-side rendered, which means better default discoverability from search engines like Google and AI answer engines like ChatGPT and Perplexity.

Lovable(@lovable_dev)6月2日202 字 (约 1 分钟)

Lovable has rebuilt its apps with server-side rendering (SSR) to improve default discoverability in search engines and AI answer engines like Google, ChatGPT, and Perplexity, migrating its foundation to TanStack Start for better type safety and deployment flexibility.

入选理由：Lovable 应用通过服务端渲染（SSR）提升了在 Google、ChatGPT 和 Perplexity 中的默认可发现性。

FeaturedTweet#Lovable#TanStack Start#SSR#AI Answer Engines#React英文

TanStack Details Sophisticated npm Supply Chain Attack That Compromised 42 Packages

InfoQ5月20日3004 字 (约 13 分钟)

TanStack disclosed a sophisticated npm supply chain attack that compromised 42 packages, with attackers injecting malicious code by hijacking maintainer accounts and exploiting npm publishing process vulnerabilities—a major security incident targeting the JavaScript ecosystem in 2026.

入选理由：攻击者入侵了42个npm软件包，通过劫持维护者账户注入恶意代码

FeaturedArticle#npm#Supply Chain Security#Cybersecurity#TanStack#Malware英文

针对最近的各种攻击，我一直在用 pnpm 的
minimumReleaseAge=10080 （分钟）或者 npm 的
min-release-age=7 （天，v11.10+）或者 bun 的
m...

For recent attacks, I've been using pnpm's minimumReleaseAge=10080 (minutes) or npm's min-release-age=7 (days, v11.10+) or bun's minimumReleaseAge=604800 (seconds). It's a very practical and effective defense against npm supply chain attacks.

Viking(@vikingmute)5月13日357 字 (约 2 分钟)

Viking recommends using the package version cooling mechanism provided by pnpm, npm, or bun to defend against npm supply chain attacks, ensuring that newly released packages must cool down for a certain period before being installed, thus avoiding attack windows.

入选理由：pnpm、npm 和 bun 提供了包版本冷却机制，分别设置为 10080 分钟、7 天和 604800 秒。

FeaturedTweet#npm#supply chain attack#security#package manager中文

Thank you @tannerlinsley 🫡

Anton Osika – eu/acc(@antonosika)6月2日68 字 (约 1 分钟)

Lovable has restructured its apps to be server-side rendered, enhancing discoverability in search engines like Google and AI answer engines such as ChatGPT and Perplexity, built on TanStack Start due to its active maintenance and strong community.

入选理由：Lovable 应用通过服务端渲染（SSR）提升了搜索引擎和 AI 答案引擎的可发现性。

FeaturedTweet#TanStack#Server-Side Rendering#Lovable#Frontend Architecture#AI Search英文

Another Day Another Massive JavaScript Supply Chain Attack. Replit Users Are Safe.

Amjad Masad(@amasad)5月12日127 字 (约 1 分钟)

Replit users remained unaffected by the Tanstack supply chain attack due to secure package manager defaults, confirming zero impact and highlighting the importance of platform security presets.

入选理由：Tanstack 攻击波及广泛，但 Replit 平台受影响用户数确认为零。