Multiple TanStack NPM packages, including popular React libraries like TanStack Router, were compromised in a supply chain attack. The malicious versions contained obfuscated code designed to steal environment variables. The incident highlights ongoing security challenges in the JavaScript ecosystem and the importance of verifying package integrity.
Background
TanStack is a collection of open-source libraries for building modern web applications, with React Query and TanStack Router being among its most popular packages. Supply chain attacks on open-source packages have become increasingly common, targeting widely-used dependencies to maximize impact.
- Source
- Hacker News (RSS)
- Published
- May 12, 2026 at 05:08 AM
- Score
- 8.0 / 10