TanStack npm package compromised in supply-chain attack

A widely-used npm package from TanStack was compromised in a supply-chain security incident, according to a postmortem shared on GitHub.

The TanStack router package, relied upon by numerous developers and organizations, was affected by unauthorized access. Supply-chain compromises of this type pose risks to downstream users, as malicious code can propagate across development pipelines.

The incident highlights ongoing vulnerabilities in open-source software ecosystems. EU and U.S. regulators have increasingly focused on software supply-chain security following similar high-profile breaches.