npm CLI 11, released in February 2026, ships a new config option called min-release-age. It refuses to resolve any package version published less than a configured number of days ago. The idea is simple: give the community time to detect compromised releases before they land in your node_modules. Previously this was only available via pnpm's minimumReleaseAge โ now npm has it natively.
TanStack packages โ @tanstack/query, @tanstack/router, @tanstack/table โ collectively pull tens of millions of weekly downloads. They sit deep in dependency trees across a huge number of production apps. In early 2026, an attacker obtained an npm publish token from TanStack's CI pipeline and used it to push malicious versions of several packages. Obfuscated postinstall hooks phoned home to attacker infrastructure. The window was short โ hours โ but hours is a lot of npm install runs.
This isn't a new pattern. The same playbook worked against lottie-player in 2025 and ua-parser-js in 2021. What changes each time is the name on the package and the number of people scrambling. This post walks through what happened, why the pattern keeps repeating, and what you can do about it today.