alt Hacker News

Postmortem: TanStack NPM supply-chain compromise

848 points • by varunsharma07 • yesterday at 9:08 PM • 327 comments • view on HN

https://github.com/TanStack/router/issues/7383

Comments

ramon156 • today at 8:00 AM

[dead]

omji-krypto • today at 1:31 AM

[flagged]

Amber-chen • today at 1:54 AM

[flagged]

cavemanDigAI • today at 3:12 AM

[dead]

Charlotte_Wang • today at 7:04 AM

[dead]

ljm • yesterday at 9:51 PM

So when do we call out NPM as an easy supply chain vector and also Microsoft's ownership of NPM and their prioritisation of AI at any cost.

NPM is the windows of package managers right now.

➕ show 2 replies

nathanmills • yesterday at 10:22 PM

TanStack? Jia Tan? Who is falling for this???

➕ show 2 replies

Miles_Stone • today at 4:47 AM

The nogil work has been years in the making. Curious how this impacts existing C extensions that relied on GIL guarantees.

makingstuffs • today at 12:18 AM

I've got claude to throw this together to try an help stem the flow. Obviously verify yourself but it will scan your machine to try and find any of the mentioned compromised packages: https://github.com/PaulSinghDev/tanstack-shai-hulud-fix

➕ show 1 reply