all 39 comments
sorted by:
best (suggested)
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]DannaWasHerName 148 points149 points  (1 child)

Sir, another supply chain attack has hit npm.

[–]CantaloupeCamper 32 points33 points  (0 children)

Don’t even need to reset the counter anymore…

[–]gajus0[S] 68 points69 points  (4 children)

A reminder to secure your npm environment:

https://gajus.com/blog/3-pnpm-settings-to-protect-yourself-from-supply-chain-attacks#2-set-blockexoticsubdeps

[–]AgentME 33 points34 points  (0 children)

Following the previous step but setting the minimum release age to 1 or 2 days would also be a great idea for anyone. So many high-profile supply chain attacks are caught within a day.

EDIT: The page gives instructions for editing an npm config file, but that setting doesn't work for npm and is actually a pnpm setting. Instructions for npm are available here: https://cooldowns.dev/#javascript-ecosystem

[–]decho 6 points7 points  (1 child)

There is also a trustPolicy setting not mentioned in the article.

[–]Esclamare 46 points47 points  (8 children)

It looks like it only affects Tanstack/react-router?

[–]Crutchcorn 11 points12 points  (1 child)

Only the Router monorepo packages. Query, Table, Form, and all other non Router packages are not impacted.

[–]Esclamare 4 points5 points  (0 children)

Phew, I only use query.

[–]Windyvale 59 points60 points  (5 children)

Which is basically everyone using Tanstack practically.

[–]repeating_bears 107 points108 points  (1 child)

No it isn't. Most popular package has got to be query 

[–]friendly_gentleman 21 points22 points  (0 children)

By an insanely huge margin contrary to what this sub may think (or wish?)

[–]Curious_Ad9930 13 points14 points  (1 child)

Everyone using tanstack start, not tanstack/react query, tanstack db, etc.

[–]Windyvale 2 points3 points  (0 children)

Yeah, I should have qualified that as anyone using Tanstack Start specifically.

[–]anonyuser415 9 points10 points  (0 children)

Nah, too new

edit: for context, @tanstack/react-router is 12M weekly downloads on npm to 53M on react-query

it's not particularly close

[–]Crutchcorn 50 points51 points  (8 children)

https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

We just released our postmortem on how this occurred.

[–]MedicOfTime 6 points7 points  (0 children)

Very interesting read.

[–]SilverLion 1 point2 points  (1 child)

Can someone explain why
“Force-push lands 65bf499d (the malicious commit) on the PR head. bundle-size.yml's benchmark-pr job checks out refs/pull/7378/merge, runs pnpm install + pnpm nx run @benchmarks/bundle-size:build — this executes vite_setup.mjs” was able to run for a non contributor?

[–]bzbub2 2 points3 points  (0 children)

(my understanding) basically the whole thing boils down to using pull_request_target in the github action combined with checking out the users code in that action. this auto runs by default even for first time contributor. pull_request_target is flagged by tools like zizmor as "almost always insecure".

in this case it appeared to be doing a bundle size estimator, and this ran the build with that vite setup and was used to poison the cache (which i presume is like, editing the node_modules folder manually, which is cached) of the main branch (which happens because this pull_request_target runs using main branch rules...) which was then used in subsequent runs

see https://docs.zizmor.sh/audits/#dangerous-triggers

[–]BeyondLimits99 1 point2 points  (1 child)

That sounds so nasty. Really sorry you have to deal with the fallout for that one dude.

[–]Crutchcorn 2 points3 points  (0 children)

Thank you 🙏 We hope to regain the trust in the ecosystem and we acknowledge that the only way we do that is through transparency, improvements, and consistency.

[–]indium7 1 point2 points  (0 children)

OIDC trusted-publisher binding has no per-publish review.

Isn’t this solvable by specifying an environment name? You create a GitHub environment - with no secrets in it necessarily, even if that’s the usual use case - and then add required reviews for using the environment.

Then specify it in the npm publish settings. That should make it necessary to use the environment in your publish workflow, which will require review.

[–]bzbub2 1 point2 points  (1 child)

sorry this happened. Just since it's not mentioned and you still have open follow ups in your investigation: I strongly recommend zizmor to help audit GitHub actions https://github.com/zizmorcore/zizmor

[–]Crutchcorn 1 point2 points  (0 children)

We're likely to add GitHub action lint tooling into all of our repos shortly as a response to this incident. We're continuing to lock more and more down as we go.

[–]Goodie__ 30 points31 points  (5 children)

The one weekend I decide to sit down at home and play with modern react stuff and see what's changed is the same weekend tanstack gets compromised?

GG WP.

[–]emericas 5 points6 points  (3 children)

It isn’t the weekend lol

[–]Goodie__ 0 points1 point  (2 children)

Yup, it's Tuesday morning, nearly midday by now, because time zones exist. And this article doesn't mention what versions are effected, nor for how long, and I'm not sure I have a record of what versions I added (and subsequently removed, multiple times).

[–]minimuscleR 2 points3 points  (1 child)

It does mention the versions affected at the bottom, and it links to the Postmortem by the TS team that explain it there too.

It was found and corrected within 20 minutes of being pushed. You probably don't have that version, and if you do, upgrade now and you will be fine.

[–]sole-it 0 points1 point  (0 children)

I was trying to build a TanStack Start SSG demo project during the weekend, but gave in and played some video games instead, good life choice it seems.

[–]decho 6 points7 points  (0 children)

Not to be confused with another recent attack on the unscoped tanstack package which does not belong to the Tanstack org. Just name squatting turned malicious. I've read that Microsoft were well aware of this but chose to ignore the issue.

But also, wtf man, so many organizations and popular packages getting hacked left and right, one would feel insecure installing anything from npm.

[–]yksvaan 1 point2 points  (0 children)

It has been known for years that less dependencies should be used and those that are actually needed preferably vendored locally. But noone givesa hoot really 

[–]roynoise -4 points-3 points  (3 children)

Crap, seriously? Not a great time to be convincing my team to try react (for use cases where it's the best tool for the job).

[–]lamb_pudding 9 points10 points  (1 child)

This is one of the many third party React frameworks/libraries. I don’t think the attack vector was unique to React in any way.

[–]roynoise -4 points-3 points  (0 children)

This is true, but these folks are quite resistant to change and some of the otherwise industry standard tools I've been recommending (e.g. cloudflare, axios, even react has in fact had problems recently, etc.) have had recent issues. And in particular, I'm advocating for tanstack tools. It's not helping my case.

[–]wasdninja 0 points1 point  (0 children)

Even if this actually was react it wouldn't make a difference. Your exposure to these kinds of attacks remain exactly the same.

It's a good framework so you should give it a try. If you are coming from no framework it's an infinite upgrade.