Vibe Coding
TanStack NPM Supply Chain Attack: Single Fork PR Hijacks 50M+ Weekly Downloads Using Fabricated 'claude' Git Identity
On May 11, a sophisticated supply chain attack compromised 84 malicious versions across 42 @tanstack/* npm packages (50M+ weekly downloads) in under 6 minutes. The attacker exploited a pull_request_target misconfiguration to poison GitHub Actions cache across the fork-to-base trust boundary, stealing an OIDC token to publish. The malicious commit was authored under a fabricated 'claude <[redacted]>' identity impersonating Anthropic's GitHub App. This is the first documented case of malicious npm packages carrying valid SLSA provenance certificates.
Source
↳ Follow the thread