TanStack, one of the most widely used open-source JavaScript libraries in the world, just disclosed a supply-chain attack.
42 TanStack npm packages were compromised earlier today. 84 malicious versions were published in a 10-minute window. The payload exfiltrates AWS credentials, Google Cloud credentials, Kubernetes secrets, Vault tokens, GitHub tokens, npm authentication tokens, and SSH keys.
Anyone who installed a TanStack package during the 10-minute window between 19:20 and 19:30 UTC should treat the host machine as compromised and rotate all credentials immediately.
TanStack packages are dependencies in millions of projects. React Query alone has over 10 million weekly npm downloads. This is not a niche library. It is infrastructure that sits inside applications at companies of every size.
The malicious code was smuggled in through a git-resolved optional dependency whose install script runs a 2.3 MB payload hidden at the package root. npm's unpublish policy is blocking removal of most affected packages because third-party projects depend on them. All 84 versions are being deprecated and npm security is working to pull the tarballs at the registry level.
Supply-chain attacks on open-source software are no longer theoretical. The dependencies that modern applications are built on are maintained by small teams, distributed through centralized package registries, and automatically installed by build systems that most developers never audit. One compromised publish token and 10 minutes is all it takes.










