Daniele Cambi

🚨 How the TanStack npm attack actually happened: 1. Attacker opened a normal-looking pull request (#7378) on the TanStack repo. 2. GitHub automatically ran CI tests on that PR. 3. Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. 4. The attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterwards. The poisoned cache stays. 5. The official release workflow later pulled from the cache, baked the malicious files into the build, and signed and published 84 malicious package versions to npm.

🛡️ React Native Security Rule #6 : AsyncStorage is NOT secure storage. If you save tokens, passwords, or credentials there, you’re storing them in plaintext. On rooted/jailbroken devices, attackers can dump it in seconds. AsyncStorage is fully readable. Treat it as public, not private. Never store: • auth tokens • passwords • API secrets Use instead: • expo-secure-store • react-native-keychain • native Keychain / Keystore