DEV Community: Vinicius de Santana The latest articles on DEV Community by Vinicius de Santana (@viniciusvts). https://dev.to/viniciusvts https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3938874%2F7462ae4f-7abd-42a8-bce7-4052cab55a66.jpeg DEV Community: Vinicius de Santana https://dev.to/viniciusvts en How I responded to a Supply Chain attack before it hit my project Vinicius de Santana Mon, 18 May 2026 20:15:47 +0000 https://dev.to/viniciusvts/how-i-responded-to-a-supply-chain-attack-before-it-hit-my-project-5d05 https://dev.to/viniciusvts/how-i-responded-to-a-supply-chain-attack-before-it-hit-my-project-5d05 <p>If you work within the modern JavaScript/TypeScript ecosystem, there is a very high chance you are using a TanStack library. Whether it's the omnipresent TanStack Query (formerly React Query), Table, or the newer React Router, they are pretty much everywhere.</p> <h2> The attack </h2> <p>And May 11, 2026, definitely gave a lot of developers a stomachache.</p> <p>For those who missed it, the TanStack ecosystem suffered a critical supply chain compromise (<strong>CVE-2026-45321</strong>). A threat actor managed to compromise TanStack's CI/CD pipelines through a "Pwn Request" (cache poisoning via <code>pull_request_target</code> in GitHub Actions), successfully publishing 84 malicious versions across 42 discrete packages. While the main blast radius targeted <code>@tanstack/react-router</code>, the entire stack flashed red.</p> <p>The worst part about this type of attack? The malicious code executes immediately the moment you or your build server runs an innocent <code>npm install</code>.</p> <h2> "Crisis Mode" Activated: What I did first </h2> <p>When a CVE like this lands on your lap, there's no point in panicking; you need data. My priority was isolating the blast radius using three basic steps:</p> <h3> Timeline Cross-Referencing vs. CI/CD Logs </h3> <p>The very first thing I did was open the official TanStack post-mortem to grasp the exact exposure window (the timeline from when the malicious packages became available on npm to when they were officially pulled).</p> <p>With those timestamps in hand, I went to our CI/CD server logs. I needed to answer one crucial question: <strong>"Did we run any automated build or deploy pipelines during this specific timeframe?"</strong>.</p> <p>Fortunately, the result was negative. Our servers hadn't touched npm while the attack was live. First line of defense: OK.</p> <h3> Local Dependency Auditing </h3> <p>Even with the server secure, the danger often lurks right next door: developer machines. Since we use packages like <code>@tanstack/vue-query</code> and <code>@tanstack/query-core</code>, there was a realistic risk that someone on the team could have run <code>npm install</code> locally and pulled a compromised version.</p> <p>I immediately alerted the team to pause all local installations and initiated a dependency scan to ensure no one was stuck on an attacker-built version.</p> <h3> Leaving a Paper Trail (Governance) </h3> <p>Once the immediate risk was mitigated, I spent some time putting together a technical incident report. It might look like bureaucracy on the surface, but documenting the event chronology, what systems were validated, and logging a final status of "Not Compromised" is what separates a team that "got lucky" from a team with mature governance workflows.</p> <h2> How to make sure your environment is clean </h2> <p>If you think you might have been exposed over the past week, the path forward recommended by the TanStack team involves:</p> <ul> <li> <strong>Force the update:</strong> Move immediately to the patched versions they released right after the incident.</li> <li> <strong>Nuke local cache:</strong> Changing your <code>package.json</code> isn't enough. Delete your <code>node_modules</code> folder, delete your <code>package-lock.json</code> (or equivalent), and completely wipe your package manager cache (<code>npm cache clean --force</code>).</li> <li> <strong>Host Inspection:</strong> The malicious script attempts to spread or harvest environment data. It's well worth checking out the <code>Detection</code> section in their official post-mortem to hunt down any anomalous processes or mutations within your <code>.npm</code> directory.</li> </ul> <p>Full post-mortem can be read at: <a rel="noopener noreferrer" href="https://tanstack.com/blog/npm-supply-chain-compromise-postmortem#timeline">Postmortem: TanStack npm supply-chain compromise</a></p> <h2> Lessons for the future (An Architecture Perspective) </h2> <p>Incidents like this remind us that our software architecture is only as strong as the weakest link in our dependency supply chain.</p> <p>Monitoring CVEs manually simply doesn’t scale. As a takeaway from this scare, our next step here is refining our CI/CD pipelines to bake in <strong>SCA (Software Composition Analysis)</strong> tools more aggressively, automatically breaking the build if a <code>package-lock.json</code> tries to sneak through with a compromised dependency.</p> <p>What about you? How did you find out about this attack, and did you manage to run diagnostics on your project in time?</p> suplychainatack webdev npm