In May 2026, attackers compromised 42 TanStack packages by poisoning a GitHub Actions build cache through a pull request. The malicious code exfiltrated AWS credentials, GCP tokens, Kubernetes secrets, and SSH keys from every developer who installed the affected versions. This was not an isolated incident. Hundreds of npm packages were compromised through similar vectors throughout 2025 and 2026. GPC is a TypeScript CLI for the Google Play Developer API. It handles service account credentials, access tokens, and publish workflows for Android apps. If an attacker compromised our npm packages, they could steal every credential that passes through the tool. This article covers every concrete protection we shipped across v0.9.50 through v0.9.80. Not theory. Not recommendations. What we actually changed, and what you can copy. Key Takeaways Delete your long-lived NPM_TOKEN and switch to Trusted Publisher (OIDC). It takes 10 minutes.…