Blog
Engineering notes, security thinking, release announcements, and the occasional thing we got wrong.
On 2026-05-11 a worm hijacked TanStack's own CI and published 42 poisoned npm packages. No maintainer was phished. No credential was stolen. What happened, what to look for, and what to do.
May 11, 2026 · Knox Hutchinson