Vibe Coding
Pattern: npm Supply Chain Attacks Accelerating — Three Major Incidents in 10 Days Target CI/CD Credentials
Three significant npm supply chain attacks hit in rapid succession: TanStack (May 11, 84 malicious versions via GitHub Actions PR hijack), node-ipc (May 14, credential-stealing payload in 10M weekly-download package), and AntV (May 19, 639 versions in 22 minutes harvesting 20+ CI/CD credential types). All three exploited maintainer account compromise or CI trust boundaries, not registry vulnerabilities. The pattern: attackers are pivoting from targeting end-users to targeting developer infrastructure and CI/CD secrets. Pin your npm dependencies and audit your GitHub Actions trust boundaries.
↳ Follow the thread