ByteBrief

Best read upright.

We're a portrait publication through and through. Turn your phone back and your briefing picks up right where you left it.

(We tried widescreen once. It wasn't us.)

ByteBrief

DevHacker Noonabout 10 hours ago

Malicious npm Packages Had Valid Signatures

8 min read

An attacker published 84 malicious versions of 42 TanStack packages to npm in six minutes. Each package carried a valid SLSA provenance and Sigstore attestation from TanStack's real GitHub Actions workflow. The signatures proved the code came from the correct repository, not that it was safe.

Level

Hype check

Tap to vote and see what everyone thinks.

#npm #supply chain #security