What Happened?
“On 2026-05-11 between 19:20 and 19:26 UTC, an attacker published 84 malicious versions across 42 @tanstack/* npm packages.”
What Was the Impact?
“When a developer or CI environment runs npm install, pnpm install, or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3 MB obfuscated router_init.js smuggled into the affected tarball.”
These are among the most popular Node.js packages available, and this is only the latest supply-chain compromise.
In the age of agentic coding, developers are not the only people affected. Anyone using Codex or Claude Code to build custom MCP servers, skills, agents, or small tools is also vulnerable to these attacks.
The Setup
You prompt Codex or Claude Code to build an agent, MCP server, or skill that includes executable code.
What Can Go Wrong?
Coding agents often run inside highly permissive environments on your personal or work machine.
As part of the coding process, an agent may run commands such as npm install and npm start.
As a result, any direct or transitive dependency exposes you to the same supply-chain risk.
Supply-chain risk is not limited to dependency installation. You are vulnerable throughout the code lifecycle:
- development
- building
- running something you built
- running something you downloaded
(Are you thinking of sharing something you built with a colleague or friend?)
At this point, it is only a matter of time before more people are affected.
Unlike software downloaded from an app store, code you write and run typically has no system of fine-grained controls over:
- files
- network
- environment
- secrets, such as OpenAI or Anthropic API keys
There is no default policy that can “just work” for every application. Some need more permissions than others.
The closest practical mitigation today is to use Docker or a VM.
Even then, these approaches have limitations:
- You cannot always use your normal IDE workflow because doing so may require installing dependencies on the host.
- Docker and VMs are general-purpose tools, so you need to know how to configure them correctly.
- The resulting MCP server or skill still needs to run inside this environment. Runtime is also a risk, remember?
- You need to understand how to connect MCP servers and skills to the programs that consume them.
