Summary The TanStack npm ecosystem was hit by a supply chain attack that hijacked legitimate build pipelines to distribute malware with valid SLSA provenance. The attack harvests cloud credentials and includes a destructive dead-man's switch that deletes home directories if stolen tokens are revoked. Take Action: If you installed any @tanstack/* packages on May 11, 2026, treat your entire environment as compromised — but before rotating any credentials, first disable the dead-man's switch service (systemctl --user stop gh-token-monitor.service on Linux or launchctl unload ~/Library/LaunchAgents/com.user.gh-token-monitor.plist on macOS) and remove persistence hooks from .claude/ and .vscode/ directories, because revoking tokens before disabling the monitor will trigger destruction of your home directory.…