TanStack weighs invitation-only pull requests after supply chain attack
TanStack is considering making pull requests invitation-only following a supply chain attack that exploited a GitHub Actions misconfiguration. The attack involved a malicious code that poisoned a shared cache, prompting the team to reevaluate their open-contribution model. While the team acknowledges the potential impact on contributions, they emphasize the need for enhanced security measures.
- ▪The TanStack team documented security measures after a breach involving the Shai-Hulud worm.
- ▪The attack was triggered by a pull request that used a risky GitHub feature, leading to cache poisoning.
- ▪TanStack has since removed the vulnerable feature from its CI pipeline and implemented stricter dependency management.
Opening excerpt (first ~120 words) tap to expand
(function() { let windowUrl = window.location.href; windowUrl = windowUrl.substring(windowUrl.indexOf('?') + 1); let messageElement = document.querySelector('.shareableMessage'); if (windowUrl && windowUrl.includes('code') && windowUrl.includes('expires')) { messageElement.style.display = 'block'; } })(); Security TanStack weighs invitation-only pull requests after supply chain attack Shai-Hulud worm exploited GitHub Actions misconfiguration to poison shared cache, now project weighing nuclear option on unsolicited contributions Tim Anderson Tim Anderson Published mon 18 May 2026 // 15:15 UTC The TanStack team has documented security measures and proposals following a damaging breach last week, including the possibility of making pull requests (PRs) by invitation only - a break from the…
Excerpt limited to ~120 words for fair-use compliance. The full article is at The Register.
Discussion
0 commentsMore from The Register
