Tanstack | 今天abc看了啥🤔现在我也不知道这频道发了啥了,各位慢慢吃瓜,将就着看联系我请去 @abc1763613206友链儿@cyberElaina@rvalue_daily@billchenlahttps://channel.0w0.best🔴 Tanstack 系列包被骇https://channel.0w0.best/posts/7305https://channel.0w0.best/posts/7305Tue, 12 May 2026 07:13:03 GMT<i><b>🔴</b></i> <mark>Tanstack</mark> 系列包被骇。<br /><br />- 约 42 个包的 84 个版本受到影响;<mark>Tanstack</mark> Query (<code>@tanstack/react-query</code>) 未受影响。 [1]<br />- 在 5/11 安装了受影响版本的设备可能也因此被骇。<br />- 恶意行为包括收集设备上的凭据,以及向设备用户维护的 npm 包加入恶意代码并重新打包发布等。<br />- 有用户称,恶意软件会在设备上持续运行,如果监测到其收集的 token 被 revoke,则会清空设备家目录。 [2]<br /><br /><a href="https://tanstack.com/blog/npm-supply-chain-compromise-postmortem" target="_blank">tanstack.com/~</a><br /><br />1. <a href="https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx" target="_blank">GHSA-g7cv-rxg3-hmpx</a><br />2. <a href="https://github.com/TanStack/router/issues/7383#issuecomment-4425225340" target="_blank">gh:<mark>TanStack</mark>/router#7383</a><br /><br /><a href="/search/%23Tanstack">#Tanstack</a><a href="https://tanstack.com/blog/npm-supply-chain-compromise-postmortem" target="_blank"> <div>Tanstack</div> <img class="link_preview_image" alt="Postmortem: TanStack npm supply-chain compromise | TanStack Blog" src="/static/https://cdn4.telesco.pe/file/nwSLM8uT7jzk371_nlW96T7WTGscRLlrEq4wkGebf4b5xlQ6ndmFD-DJDrd4Egr34pDKSarFZpog1yetZVWjCFeumncLgRaDk5IQxKi51P5Xi71TjldxhBk5kgKblaycBr96iPtN4cTamU3xuP17BzSDF1vya4f1pJmwzMJA8pE4titP_88BFfglGzu_Y80nQB07rlLSOcfBCmBf3Af41JuwAFYe7kRs9dkztgsazrYhXbJs_F7nMiHb9FgsxcFYDxLtGgJOmt6Prt7IZTG5ohKD25TimX12Pqx4vrdjt982vFDk5c_20I_Uvh4jcqhXHyf7pTBwsmlcJQWUuE8GEw.jpg" loading="lazy" /> <div>Postmortem: <mark>TanStack</mark> npm supply-chain compromise | <mark>TanStack</mark> Blog</div> <div>On 2026-05-11, an attacker chained a pull_request_target Pwn Request, GitHub Actions cache poisoning across the fork<i><b>↔</b></i>base trust boundary, and OIDC token extraction from runner memory to publish 84 malicious versions across 42 @<mark>tanstack</mark>/* packages on npm.…</div> </a>