The Worm in the Registry

A six-minute attack compromised the trust model of modern JavaScript development, pushing 84 malicious package versions across 42 @tanstack packages via a legitimate release pipeline. The "worm" spread to over 170 packages on npm and PyPI, affecting over 518 million cumulative downloads and targeting credential theft.