Hey fellow HIVE builders, vibecoders, and JS/TS developers!
If you maintain any frontend, full-stack, or CLI projects that depend on 
What Happened
On May 11, 2026 between 19:20–19:30 UTC, an attacker published 84 malicious versions across 42
The malicious versions were live for only a few hours before being deprecated. Anyone who ran npm install, pnpm install, yarn install, or resolved @latest in that window is potentially compromised.
Severity: HIGH
The payload exfiltrates:
- AWS, GCP, Kubernetes & Vault credentials
- GitHub tokens
~/.npmrccontents- SSH keys
It also installs persistence and tries to spread further.
How to Detect If You're Affected
Search your node_modules for this suspicious entry in any package.json:
"optionalDependencies": {
"@tanstack/setup": "github:tanstack/router#79ac49ee..."
}
Or look for a large router_init.js (~2.3 MB) file. If found → treat the machine as compromised.
Immediate Actions
- Rotate all credentials immediately (cloud keys, GitHub tokens, SSH keys, npm tokens)
- Audit your cloud provider logs for the last 24 hours
- Pin to a known-good version and reinstall from a clean lockfile
- Full details + complete list: https://github.com/TanStack/router/issues/7383
Best Protection Going Forward
- Switch to pnpm (best supply-chain protections)
- Set minimum release age — this alone would have blocked the attack.
Add to your project .npmrc (and ideally ~/.npmrc globally):
# pnpm
minimum-release-age=10080 # 7 days (1440 = 24h)
# npm
min-release-age=7d
Recommended hardened .npmrc:
ignore-scripts=true
minimum-release-age=10080
strict-peer-dependencies=true
Why This Matters on HIVE
We build fast and often use latest packages. One bad install in CI/CD can leak keys.
Let's raise the bar:
- Always use lockfiles
- Pin your deps
- Enable
minimum-release-ageby default - Review GitHub Actions carefully
Stay safe and keep shipping! Drop a comment if you want a ready-to-use .npmrc template or scan script.