Adrian Carolli

After a very thorough 3 day full security sweep and hardening process, we'd like to issue an official all clear ✅ on TanStack repo and package security. Full details have been updated in our post-mortem and security followup blog (linked below). TL;DR: - Only the Router/Start repo was affected. 42 monorepo packages, 2 versions per package. These were promptly deprecated within the hour and removed by NPM shortly after - All other repos and packages were unaffected and remain secure including: Query, DB, Store, AI, Table, Form, HotKeys, Virtual, Pacer, Config, Devtools, CLI, Intent, etc. - All available and published versions of every TanStack package are safe to download, including TanStack Router/Start. https://t.co/KQSXhUM4XM https://t.co/mtN9hF5Ioy

🚨 How the TanStack npm attack actually happened: 1. Attacker opened a normal-looking pull request (#7378) on the TanStack repo. 2. GitHub automatically ran CI tests on that PR. 3. Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. 4. The attacker used that token to plant poisoned files in the shared build cache. The PR could be closed afterwards. The poisoned cache stays. 5. The official release workflow later pulled from the cache, baked the malicious files into the build, and signed and published 84 malicious package versions to npm.

nobody at your company knows what your app actually looks like. designers ship figma. engineers ship code. PM ships a roadmap. none of them match. we built atlas to fix this. point it at any iOS app, get back a complete map of every screen and every path through it. this is doordash.

ANTHROPIC JUST RELEASED THE OFFICIAL PLAYBOOK FOR BUILDING A COMPANY WITH CLAUDE CODE. 30 minutes. free. from the engineers who built it. Bookmark this before you forget. CEO: 1 human. Employees: AI agents. Operations: fully automatic. The zero-headcount company is no longer a joke.

Say goodbye to Dropbox, iCloud, and OneDrive subscriptions. Someone open-sourced a sync tool that replaces all three for $0. And no company can shut it down. It's called Syncthing. Here's how it works: Every cloud storage company on earth routes your files through their own servers. That's not a technical requirement. That's a business model. Syncthing skips the server entirely. → Your devices connect directly to each other → Every transfer is TLS encrypted with perfect forward secrecy → Every device is authenticated by a cryptographic certificate → Nothing moves without your explicit permission → Works on Windows, macOS, Linux, Android, FreeBSD No account. No subscription. No company holding a copy of your files. Dropbox can raise prices. iCloud can change its terms. Google Drive can shut down tomorrow. Syncthing runs on your own machines. There's no server to breach. No company to pressure. No subscription to cancel. One install. Your devices. Your files. Your rules. 100% Opensource. https://t.co/zXSEvtiX0a