If you install any tanstack package you might be affected. That it, on May 11, 2026, one of the most sophisticated npm supply chain attacks ever seen hit the JavaScript ecosystem , and it's still spreading. This is my attempt to explain it simply, because the technical details are buried in postmortems and most developers I know haven't fully digested what this means for them. What happened The attackers compromised 42 TanStack packages , publishing 84 malicious versions in a 6-minute window. TanStack is widely used, Query, Router, Start, so the blast radius was insane. But here's what makes this different from a typical "someone hacked a maintainer's account" story: no passwords were stolen . The attackers never needed them. The clever part: the attack chain The attacker opened a pull request to TanStack's GitHub repo. Looks innocent. But they exploited three things in sequence: 1. A dangerous GitHub Actions trigger The workflow used pull_request_target instead of pull_request .…