Olivia
Online
Fran Herrero
@leynar
Software Engineer & Tech Lead @AXA GO
Barcelona, Cataluña
Joined December 2007
3.2K Following
591 Followers
9.2K Posts
practical mitigation[1] steps[2] against the tanstack compromise and other supply chain attacks on npm
[1] reduces vulnerable surface
[2] apply to your pnpm config too
* see more security best practices on the repo
![liran_tal's tweet photo. practical mitigation[1] steps[2] against the tanstack compromise and other supply chain attacks on npm
[1] reduces vulnerable surface
[2] apply to your pnpm config too
* see more security best practices on the repo https://t.co/osrxt5wJgn](https://pbs.twimg.com/media/HIG2uVsXUAEQTYZ.jpg)
TL;DR for open-source maintainers
🚫 NEVER use "pull_request_target" workflows
🚫 NEVER use shared caches in your publish pipeline
Combining these 2 in particular is extremely dangerous
I've repeated this countless times over the years, but another reminder is always useful
SECURITY ADVISORY — TanStack npm packages
A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package.
Status: ACTIVE — packages are deprecated, npm security engaged, publish path being shut down.
Severity: HIGH — payload exfiltrates AWS, GCP, Kubernetes, and Vault credentials, GitHub tokens, .npmrc contents, and SSH keys.
If you installed any @tanstack/* package between 19:20 and 19:30 UTC today, treat the host as potentially compromised:
• Rotate cloud, GitHub, and SSH credentials immediately
• Audit cloud audit logs for the last several hours
• Pin to a prior known-good version and reinstall from a clean lockfile
Detection — the malicious manifest contains:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Any version with this entry is compromised. The payload is delivered via a git-resolved optionalDependency whose prepare script runs router_init.js (~2.3 MB, smuggled into each tarball at the package root).
Unpublish is blocked by npm policy for most affected packages due to existing third-party dependents. All 84 versions are being deprecated with a SECURITY warning, and npm security has been engaged to pull tarballs at the registry level.
Full technical breakdown, complete package and version list, and rolling status updates:
https://t.co/Zy8qG7PA9f
Credit to the security researcher for responsible disclosure.
🤨 People keep asking how to protect yourself.
#1: set min-release-age=7 in .npmrc
#2: install Socket for GitHub (it's free!) to protect PRs from bad dependencies: https://t.co/D9bsRJj65R
#3: install Socket Firewall (also free!) to protect your laptop: https://t.co/u1NRD57PQ8
Who to follow
Thanks to good people at @AnthropicAI we now have an official MCP for Excalidraw!
Take it for a spin on @claudeai (search for Excalidraw in Connectors, or use in Claude Code and elsewhere).
More to come. ✌
My big frustration with skills is they're not consistently invoked. In this post, Vercel saw the same issue.
Their solution? Put a compressed index of docs in AGENTS .md instead.
The improvement in results might be worth it for more general knowledge.
https://t.co/ZdiS2i5I8Z
🔥 I've been debugging @nodejs performance for over a decade. The hardest part? Making sense of thousands of stack frames in a flamegraph.
What if your AI assistant could do that for you?
Today, we're releasing a new feature in @platformatic/flame. 🧵
https://t.co/A0TmnEzUVa is an open ecosystem for finding and sharing agent skills.
Add a skill to any agent with:
▲ ~/ npx skills add <owner/repo>
The Season 2 ending of ‘Frieren: Beyond Journey’s End’ was fully hand-drawn using only colored pencils, created by artist Mimei Aoume (@aoumemimei).
Bun is fast, until latency matters for Next.js.
We benchmarked the same Next.js app across Node.js, Deno, Bun, and Watt (our multi-threaded Node-based runtime) under identical load on AWS EKS.
Throughput looked fine across the board. Latency told a very different story. 🧵
tl;tr update you Node.js version ASAP
Today, @nodejs published a security release for Node.js that fixes a critical bug affecting virtually every production Node.js app.
If you use React Server Components, Next.js, or ANY APM tool (Datadog, New Relic, OpenTelemetry), your app could be vulnerable to DoS attacks.
👇
@itsolelehmann @wtmeersii ... with my family and two young kids. Great schools, many squares, Catalan people and young families. Life here is very good.
@itsolelehmann @wtmeersii Barcelona is a great city. Like any big city, it has some less recommendable areas, and at certain moments or in some high-immigration neighborhoods you may feel a bit uncomfortable. But honestly, much less than in Paris or London. I’ve lived in Bcn for 13 years, in Gràcia...
@onepirateking1 Parasyte
@PLF_2008 Camisetón! Sabes donde se puede comprar? Gracias!
@Hoopss Where is Gasol?
@github Why not just go with https://t.co/tX3Hxztr4M?
Big step for open agentic AI.
OpenAI is co-founding the Agentic AI Foundation under the Linux Foundation, alongside Anthropic and Block, and donating https://t.co/uop4XiFxan to this new umbrella.
https://t.co/bV5XVEoJYh
Last Seen Users on Sotwe
0️⃣1️⃣สมาคมโชว์เมีย,หี,นม,คลิป🔞
Seen from Thailand
sex charen
Seen from Turkey
مـيــۅلك آلجـنــســي 🔥
Seen from Singapore
@soniroy1
Seen from Singapore
แม่nok
Seen from Turkey
MotionFXLab
Seen from Turkey
باكستاني موجب جنوب جده
Seen from Netherlands
Cuckold Maker
@Hotwifegdl 
Seen from United States
𝕆𝕟𝕝𝕪 𝔾𝕒𝕪 𝕊𝕖𝕩 (+𝟙𝟠) 🏳️🌈😈
Seen from Turkey
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.9M followers
Taylor Swift
@taylorswift13
80.7M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.2M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60M followers