Engineering

Long-form analyses of the supply-chain attacks that keep us up at night, the defenses that stopped working, and the ones that still do.

• May 13, 2026

  TanStack and the day provenance attestation stopped being a defense

  On May 11, 2026, malicious npm artifacts were signed by TanStack's legitimate OIDC pipeline. Sigstore verified them. Every signature check we built for this case returned green. Here is what happened, what failed, and the one defense that still works.

  #supply-chain#npm#shai-hulud#tanstack#provenance#release-age