Olivia
Online
Thomas Belin
@atomrc
Front-End Architect 🤘
I leave code cleaner than I found it.
Paris, France
Joined March 2012
381 Following
859 Followers
7.6K Posts
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
The future of Three.js is WebAssembly
New blog post! Let's move to ESM! 😈
https://t.co/X19bTJmfaB
Are you using tsx to import source files across workspace packages?
You may be making expensive trade-offs without realizing it
Here's a breakdown of the risks and better alternatives:
👉 https://t.co/EiggVCLeuJ
Who to follow
Francois-Guillaume Ribreau 
@FGRibreau
⚡️https://t.co/ImvfwKCqOb
📘 https://t.co/dnRlFipGn0
🧢 Co-founder @cloud_iam_com
🔥 Indiehacker @imagecharts
🤝 Sold @bringr @redsmin
Tugdual Grall
@tgrall
Solutions Engineer @github | @nantesjug leader | ex @redis @redhat @mapr @mongodb @couchbase @oracle | https://t.co/IndRS9MDrt dev |
Julien Landuré
@jlandure
CTO TechTown, @DevFestNantes Organizer, @GDGNantes Leader, Cloud @GoogleDevExpert
It just occurred to me that I am, regularly, reading the most rust-themed children's book ever to my 1.5y-o son:
"don't `panic!` little crab"
He got an early kick start into rust 😎
#rust
Hot take: singleton is an anti-pattern.
After 2 weeks using only @zeddotdev (switching from vscode), I can say that I really like it.
It feels so snappy and responsive!!
I can only recommend giving it a try ✨
I just wrote a massive guide to creating and publishing a package on npm.
It goes from an empty directory to a production-ready setup.
It's over 4,000 words, and has a 14-minute walkthrough video.
Want the juicy bits? Time for a thread 👇 🧵
Thank you @JoshWComeau for explaining the `useDeferredValue` hook so well.
Nice and clear 🤩.
https://t.co/qzqfLeC2M6
📚 I like xstate/store so much that I will probably use it over zustand the next chance I get. I wrote about the reasons in this blog post: https://t.co/oWAU38VU6Z
📝 JavaScript garbage collection doesn't work how I expected when it comes to closures. TIL!
https://t.co/C8Y1S0N3cX
Useful thing to remember when climbing the ladder:
The people above you are not as good as you think they are.
No one is supernatural.
@passle_ Folks you probably want to actually get the update from my personal blog which INCLUDES UPDATES: https://t.co/VS6zLZkMUO
Sadly, the hashnode syndication is unhelpful because it doesn't pick up on edits I push on my own blog
TypeScript 5.6 beta brings a sweet new feature - the ability to spot faulty logic in your if statements.
SO many subtle will be prevented by this. Really nice stuff.
📜 DRY – the common source of bad abstractions - @Swizec
Greatly illustrates how React devs could end up creating the wrong abstraction
Popular React UI libraries learned over the year to not over-abstract, giving you more flexibility
https://t.co/0UmGfXz6UJ
Okay, listen. If you're going to fetch in useEffect(...), you should at least make sure that you're handling:
- Loading states
- Error handling (rejections & HTTP error codes)
- Race conditions & cancellation
This isn't over-engineering. It's the minimum code to prevent bugs.
Playing guitar tablatures in Rust https://t.co/glz0KFf6Tu
✍️ New Guide: CSS Grid Areas
I wrote a new ✨ interactive ✨ guide that explores CSS grid areas, line numbers, line names, and includes many interactive examples to experiment with. Happy learning!
🔗 https://t.co/RC0gYk8Sxk
@juuduu @hsablonniere @sardemff7 Ahaha je savais que tu étais derrière tout ça 😛
T'étais en bépo depuis tout ce temps ?
J'avoue, ça me motive bien le ergo-L je vais m'y essayer je pense 😎
Last Seen Users on Sotwe
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers