Back to posts
post

The TanStack npm Supply-Chain Compromise (and Agentic Coding)

Why npm supply-chain compromises are also a growing risk for people building agents, MCP servers, skills, and small tools.

Editorial illustration of a compromised software package propagating through a dependency chain to a coding agent

What Happened?

“On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages.”

What Was the Impact?

“When a developer or CI environment runs npm install, pnpm install, or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3 MB obfuscated router_init.js smuggled into the affected tarball.”

These are among the most popular Node.js packages available, and this is only the latest supply-chain compromise.

In the age of agentic coding, developers are not the only people affected. Anyone using Codex or Claude Code to build custom MCP servers, skills, agents, or small tools is also vulnerable to these attacks.

The Setup

You prompt Codex or Claude Code to build an agent, MCP server, or skill that includes executable code.

What Can Go Wrong?

Coding agents often run inside highly permissive environments on your personal or work machine.

As part of the coding process, an agent may run commands such as npm install and npm start. As a result, any direct or transitive dependency exposes you to the same supply-chain risk.

Supply-chain risk is not limited to dependency installation. You are vulnerable throughout the code lifecycle:

(Are you thinking of sharing something you built with a colleague or friend?)

At this point, it is only a matter of time before more people are affected.

Unlike software downloaded from an app store, code you write and run typically has no system of fine-grained controls over:

There is no default policy that can “just work” for every application. Some need more permissions than others.

The closest practical mitigation today is to use Docker or a VM.

Even then, these approaches have limitations: