Loku hack ekak yanawa

[Emios]

Website hadanna epa

 

[Yeezus]

Mythos where are you !

 

[Emios]

Mythos where are you !

 

[helplesser]

We are using TanStack Query

 

[Emios]

We are using TanStack Query

Rip

 

[හෙනයා]

We are using TanStack Query

 

[Yudewwa]

අනේ අර @Lovtus වේසිගෙ පුතාගේ ඇස් වහ වැදිලද මන්ද...

 

[Ldy]

npm team eke kello innawa neda wadipura

---

Website hadanna epa

npm is just one package manager.. use something else?
------ Post added on May 12, 2026 at 8:02 PM

 

[Mr.Curious]

Kim konj ge kollo wada pennai

 

[UbeThaththa]

හිංගලෙන් දාපංකො මොකද වෙලා තියෙන්නෙ කියල

 

[sinhawanshaya]

හිංගලෙන් දාපංකො මොකද වෙලා තියෙන්නෙ කියල

නිදහස් අද්යාපනෙ ඉන්ග්‍රීසි free

 

[UbeThaththa]

නිදහස් අද්යාපනෙ ඉන්ග්‍රීසි free

බොරුවට හිනා උනාට උබට තේරුනෙත් නෑ නේද?

 

[sinhawanshaya]

බොරුවට හිනා උනාට උබට තේරුනෙත් නෑ නේද?

මම cybersecurity සහා computer science ගැන දන්නවා, එක නිසා තෙරුනා

 

[6h057]

Mythos where are you !

 

[UbeThaththa]

මම cybersecurity සහා computer science ගැන දන්නවා, එක නිසා තෙරුනා

තෝයි මායි දන්න cybersecurity සහ computer science
තේරුනේ නැත්තං ලැජ්ජ වෙන්නෙ නැතුව තේරුනේ නෑ කියහං මම වගේ

 

[ozykolla]

JavaScript

 

[Bam]

මූ වෙබ් සයිට් හදන්න අරං වෙච්චි වැඩක්.

 

[6h057]

On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages by combining: the pull_request_target "Pwn Request" pattern, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of an OIDC token from the GitHub Actions runner process. No npm tokens were stolen and the npm publish workflow itself was not compromised.

The malicious versions were detected publicly within 20 minutes by an external researcher ashishkurmi working for stepsecurity. All affected versions have been deprecated; npm security has been engaged to pull tarballs from the registry. We have no evidence of npm credentials being stolen, but we strongly recommend that anyone who installed an affected version on 2026-05-11 rotate AWS, GCP, Kubernetes, Vault, GitHub, npm, and SSH credentials reachable from the install host.

Tracking issues: https://github.com/TanStack/router/issues/7383

Packages affected​

42 packages, 84 versions (two per package, published roughly 6 minutes apart). See the tracking issue for the full table. Confirmed-clean families: @tanstack/query*, @tanstack/table*, @tanstack/form*, @tanstack/virtual*, @tanstack/store, @tanstack/start (the meta-package, not @tanstack/start-*).

What the malware does​

When a developer or CI environment runs npm install, pnpm install, or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3 MB obfuscated router_init.js smuggled into the affected tarball. The script:

• Harvests credentials from common locations: AWS IMDS / Secrets Manager, GCP metadata, Kubernetes service-account tokens, Vault tokens, ~/.npmrc, GitHub tokens (env, gh CLI, .git-credentials), SSH private keys
• Exfiltrates over the Session/Oxen messenger file-upload network (filev2.getsession.org, seed{1,2,3}.getsession.org) — end-to-end encrypted with no attacker-controlled C2, so blocking by IP/domain is the only network mitigation
• Self-propagates: enumerates other packages the victim maintains via registry.npmjs.org/-/v1/search?text=maintainer:<user> and republishes them with the same injection

Because the payload runs as part of npm install's lifecycle, anyone who installed an affected version on 2026-05-11 must treat the install host as potentially compromised.

 

[KSPathirana]

So what should we do? I just finished the MVP of a product using Nextjs, supabase and Tanstack Query

 

[Schrodinger Cat]

bump