3 posts tagged with "supply-chain"

npm v12 (estimated July 2026) flips three security defaults that have been the most exploited code-execution paths in supply chain attacks. Install scripts, Git dependencies, and remote URL dependencies will all be blocked unless explicitly allowed. These aren't new features — they've been available as opt-in since npm 11.10.0+ — but v12 makes the secure path the default.

If you're running npm 11.16.0+, you're already seeing warnings for these. In v12, warnings become hard blocks. Now is the time to prepare.

npm CLI 11, released in February 2026, ships a new config option called min-release-age. It refuses to resolve any package version published less than a configured number of days ago. The idea is simple: give the community time to detect compromised releases before they land in your node_modules. Previously this was only available via pnpm's minimumReleaseAge — now npm has it natively.

TanStack packages — @tanstack/query, @tanstack/router, @tanstack/table — collectively pull tens of millions of weekly downloads. They sit deep in dependency trees across a huge number of production apps. In early 2026, an attacker obtained an npm publish token from TanStack's CI pipeline and used it to push malicious versions of several packages. Obfuscated postinstall hooks phoned home to attacker infrastructure. The window was short — hours — but hours is a lot of npm install runs.

This isn't a new pattern. The same playbook worked against lottie-player in 2025 and ua-parser-js in 2021. What changes each time is the name on the package and the number of people scrambling. This post walks through what happened, why the pattern keeps repeating, and what you can do about it today.