· Paul Lukic
The TanStack npm Compromise: Why Every AI Coding Agent Needs an Audit Log
On 11 May 2026, 84 malicious versions of 42 @tanstack/* packages hit npm and started stealing AWS, GCP, Kubernetes, Vault, GitHub, and SSH credentials. If your AI coding agent ran npm install during that window, you may never know. Here's why agent command logging is now non-negotiable.