r/npm

Mini Shai-Hulud has yet again reportedly compromised 160+ packages, including parts of the TanStack and Mistral ecosystems. The interesting part is the attack path: instead of simple typosquatting, it abused GitHub Actions cache poisoning and trusted publishing/OIDC workflows, making the malicious packages appear legitimately built and published.

Summary:

A recent npm supply-chain incident affected multiple u/tanstack/* packages. Malicious versions were published to npm, and the payload reportedly executed during install.

The main risk is not only runtime usage. If a developer machine or CI runner installed an affected version, secrets available to the install process may have been exposed.

Reported targets included:

- cloud credentials

- GitHub tokens

- npm tokens

- SSH keys

- CI/deployment secrets

Practical things to check:

- lockfile versions for u/tanstack/*

- npm/pnpm/yarn install logs

- package manager cache

- CI runs during the affected publish window

- GitHub/npm/cloud audit logs

- whether lifecycle scripts were enabled during install

For affected environments, the safer assumption is that exposed credentials should be rotated and dependencies should be reinstalled from a clean lockfile after moving to patched versions.

Primary advisory:

https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx

Public tracking issue:

https://github.com/TanStack/router/issues/7383

I also maintain NPMScan and put the affected versions, IOCs, and mitigation notes into one page here:

https://npmscan.com/vulnerability/GHSA-g7cv-rxg3-hmpx

Recent npm vulnerability feed:

https://npmscan.com/latest-vulnerabilities

The bigger question: should Node.js CI pipelines disable install scripts by default, or is that still too impractical for real projects?

Every time I built a skeleton loader, it was the same pain: copy the card, replace content with grey boxes, tweak padding after every design change, watch all the shimmer animations run out of sync like a broken disco floor.

So I built shimmer-trace, a React library that wraps your real component and automatically traces the shape of every element to generate a perfectly matched skeleton. One wrapper, zero hand-drawn boxes.

    <Shimmer loading={isLoading}>
      <UserCard user={user} />
    </Shimmer>

That's literally it. No <SkeletonCard />. No fake grey divs.

• 🔗 Live demo: https://jeetvora331.github.io/shimmer-trace/
• 📦 npm: https://www.npmjs.com/package/shimmer-trace
• ⭐ GitHub: https://github.com/jeetvora331/shimmer-trace

The “Mini Shai-Hulud” npm attack feels like a turning point for AI-assisted development and vibe coding.

A lot of developers now rely on AI agents, rapid scaffolding, and quick npm installs without deeply auditing dependencies. But this attack reportedly compromised trusted package publishing itself and targeted CI/CD secrets.

If trusted packages can temporarily become malicious, are we entering a phase where local AI coding workflows become a major supply-chain attack surface?

Curious how other developers are adapting:

• sandboxing?
• isolated dev containers?
• limiting terminal agent permissions?
• dependency scanning?
• avoiding npx?

Especially interested in hearing from people using AI-assisted coding heavily.

I noticed almost every backend project I start begins with the same repetitive setup:

• JWT auth
• Swagger
• error handling
• rate limiting
• folder structure
• response helpers
• seed scripts

After doing this repeatedly across projects, I made a small local CLI for myself that generates a backend starter with all of this already structured.
https://www.npmjs.com/package/create-api-lite

Currently supports:

• Express / Fastify
• JavaScript / TypeScript
• MongoDB / SQLite

The main thing I cared about was generating code that still feels readable and maintainable later instead of giant boilerplate dumps.

Would genuinely like feedback from backend devs on whether this workflow is useful or not.

(terminal demo attached)

https://i.redd.it/jp9y85ckec0h1.gif