Red Hat Cloud Services npm packages were compromised with malicious releases; a long list of affected packages and versions is disclosed, signaling a supply-chain security incident.
TanStack disclosed a multi-vector npm supply-chain compromise affecting 84 malicious package versions across 42 @tanstack/* packages, traced to a PR-wrapping cache-poisoning chain and in-memory OIDC token exfiltration, with deprecation and credential-rotation guidance following rapid external detection.
TanStack npm packages were compromised via a supply-chain attack using optionalDependencies to pull in a malicious git commit; payload exfiltrates credentials and republishes vulnerable packages; GitHub Actions OIDC trusted-publisher config suggests CI workflow compromise; multiple TanStack packages affected with two bad versions each, plus broader ecosystem risk.
Two malicious Axios releases were briefly published on npm due to a compromised maintainer account, introducing a remote-access trojan via plain-crypto-js; remediation focuses on OIDC-based publishing, immutable releases, CI publishing, and credential hygiene.
Subscribe for real-time topic updates and unlimited access to our intelligence platform.