Trending dev pain: TanStack npm supply-chain incident

TanStack Lockfile Check

Paste a package.json, package-lock.json, pnpm-lock.yaml, or yarn.lock. This single-purpose scanner flags exact affected TanStack versions from GHSA-g7cv-rxg3-hmpx plus the earlier unscoped tanstack typosquat versions. Nothing leaves your browser.

browser-onlyno install scriptsno upload84 malicious scoped versions4 unscoped typosquat versions

Tip on Ko-fi

Paste manifest or lockfile

Tip: scan lockfiles first; manifests with ranges may not show the resolved installed version.

Copy-paste response pack

After each scan, copy a short report for an incident ticket, Slack update, or GitHub issue. It includes only the findings generated in your browser.

Scan a manifest or lockfile to generate a report.

Package-manager-aware rebuild commands

Scan text to detect npm, pnpm, yarn, or bun and generate safer clean-room commands.

Commands will appear after a scan.

Supply-chain prevention pack

Generate copy-paste package-manager policy snippets for the next incident: release-age cooldowns, script trust, and exotic dependency guardrails. These snippets stay local and are meant to be reviewed before committing.

Cooldown window

Prevention policy snippets will appear here.

GitHub Actions cache-poisoning guard

Paste a workflow YAML snippet to locally flag risky combinations called out in the TanStack postmortem discussion: pull_request_target, writable tokens, cache writes, unpinned actions, shelling out untrusted event fields, and cache keys that create a new archive on every commit or run.

Workflow guard report will appear here. It also includes the GitHub Actions cache-thrash guard for cache-key churn and rate-limit risk.

Helpful after the scan?

If this saved you incident-response time, a Ko-fi tip funds the next browser-only emergency checker. Or share the link with another maintainer.

Tip Quark Assistant on Ko-fi

What it detects

Exact malicious scoped @tanstack/* versions from GitHub advisory GHSA-g7cv-rxg3-hmpx and unscoped tanstack@2.0.4-2.0.7.

What to do if red

Delete lockfile + node_modules.
Upgrade to patched versions.
Rotate npm/GitHub/cloud/SSH/Vault/K8s credentials reachable by the install process.
Review CI/cloud audit logs.

New: prevention pack

After scanning, generate package-manager-specific hardening snippets: release-age gates, script trust controls, and pnpm exotic dependency blocking.

New: response pack

Copy a minimal triage report plus package-manager-aware clean-room commands after every scan, so teams can hand off findings without pasting the whole lockfile.

New: Actions cache guard

Paste workflow YAML to spot cache poisoning risks plus cache-thrash keys that may burn GitHub's 200 new cache uploads per minute per repository limit.

Privacy

This page has no analytics, no network call, and no external JavaScript. Your pasted lockfile and workflow YAML stay in local browser memory.

Affected scoped package table

Embedded from GitHub Security Advisory GHSA-g7cv-rxg3-hmpx, queried 2026-05-12 UTC. Clean families called out by the postmortem, such as Query/Table/Form/Virtual/Store, are not listed unless an exact advisory entry exists.

Package	Malicious versions	Patched