#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):#SoftwareSupplyChainSecurity👇

#npm: TanStack npm packages (84 in total) compromised in a supply chain hack utilising a malicious payload designed to destroy files on developer machines if a stolen GitHub token is revoked ("dead-man's swithch"):
#SoftwareSupplyChainSecurity

TanStack npm Packages Hit by Mini Shai-Hulud | Snyk

On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistralai/* packages, and others) by chaining a GitHub Actions "Pwn Request," cache poisoning, and OIDC token extraction from runner memory — producing the first npm supply chain attack with valid SLSA Build Level 3 attestations. Here's what happened, what was stolen, and what you need to do right now.

Snyk (snyk.io)

#vm2 NodeJS Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution - patch now!
Vm2 is used by 900+ #NPM packages:

vm2 Node.js Library Vulnerabilities Enable Sandbox Escape and Arbitrary Code Execution

12 vm2 flaws (CVSS up to 10.0) enable sandbox escape in ≤3.11.1, causing remote code execution risk; patched in 3.11.2.

The Hacker News (thehackernews.com)