‼️🚨 BREAKING: A new npm supply-chain attack uses a dead-man's switch. The payload plants a watcher on your machine that nukes your home directory the second you revoke the GitHub token it stole from you. The compromise happened today, across 42 official tanstack npm packages, 84 malicious versions in total. tanstack/react-router alone pulls more than 12 million weekly downloads. The attacker forked TanStack's repository and pushed a single hidden commit. From there, they tricked TanStack's own release system into signing the malicious packages as if they were the real thing. To npm, and to anyone checking the cryptographic proof of origin (SLSA provenance), the poisoned versions looked 100% legitimate. Maintainer Tanner Linsley confirmed the whole team had 2FA enabled. It didn't matter. This is the first documented npm worm in history that ships with a valid, signed certificate of authenticity, the same one defenders rely on to know a package wasn't tampered with.

@IntCyberDigest Good luck asking Claude for mitigation tips

@slangchain @IntCyberDigest Use docker

@imacretin @IntCyberDigest where do the packages on the image come from?

@slangchain @imacretin @IntCyberDigest Just don’t update 0 age you can set it to 3 days for example… that way you can read this article without stressing

@slangchain @imacretin @IntCyberDigest Just asked Claude code to do this now they banned me… nah joking that eager idiot did this and also deleted production because it can lol