Tag
The article details a supply-chain attack on the TanStack library via NPM, offering a comprehensive guide to protect development environments by locking dependency ages, pinning versions, and auditing CI/CD pipelines and IDE extensions.
Detailed postmortem of a supply-chain attack on TanStack's npm packages involving cache poisoning, OIDC token extraction, and credential harvesting malware. All affected versions deprecated; users advised to rotate credentials.
A new npm package called safe-install is introduced to enhance supply chain security by allowing developers to disable install scripts by default and block exotic sub-dependencies, addressing ongoing vulnerabilities.
A developer shares a tip to configure a minimum release age for package installs to mitigate supply-chain attacks.
A high-severity supply-chain compromise affected 42 TanStack npm packages, exfiltrating cloud credentials and SSH keys. Users are advised to rotate credentials and reinstall from clean lockfiles if they installed packages during the attack window.
Reports indicate a security compromise affecting TanStack NPM packages, impacting developers using the TanStack Router and Start frameworks.
A satirical incident report describes a catastrophic, multi-stage supply chain attack originating from a compromised JavaScript dependency and spreading through Rust and Python ecosystems before being accidentally resolved by a mining worm.
ActionFence is an open-source middleware tool for enforcing security policies, such as spend caps and identity tiers, on MCP servers and Express APIs to protect against agent misuse.
npmx is an MIT-licensed alternative web frontend for the npm registry that adds security and usability features—like transitive install sizes, install-script disclosure, and outdated/vulnerable-dependency trees—spurring npmjs.com to finally ship dark mode.
OpenAI Node.js SDK v6.31.0 release - TypeScript/JavaScript library for accessing OpenAI's REST API with support for Chat Completions and Responses APIs, featuring workload identity authentication for cloud environments.