Honestly, it's exhausting to wake up and find out there's yet another attack on the npm ecosystem.
Socket shared via social media that they identified compromised packages — some of them were TanStack.
Why are attackers so obsessed with npm? Seriously, can you stop already?
If you still use npm and haven't disabled post-scripts, you're in serious danger.
Go and disable that right now.
Start using pnpm. Version 11 disables this functionality by default. Of course, some packages still need post-scripts, and in those cases you should manually review and authorize them.
Also, there are tools you can use before installing a package: Socket's sfw and npq.
Hope this helps.
Top comments (0)