npm install não é mais seguro.
84 pacotes maliciosos. Seis minutos. Sem roubar a senha de ninguém.No dia 11 de maio um hacker usou o pipeline de publicação do TanStack contra ele mesmo e infectou o npm. O projeto que a galera tava migrando pra fugir da complexidade do Next.js virou vetor de ataque, e o malware se espalhava sozinho pra outros pacotes.
Se você instalou qualquer @tanstack/* naquela janela, esse vídeo é pra você. A gente disseca como o ataque funcionou (spoiler: ninguém invadiu conta de ninguém), por que o npm tá vivendo a maior crise de confiança da história do open source, e o que dava pra ter evitado com quatro linhas no .npmrc.
A complexidade não sumiu, paizão. Ela só mudou de lugar: do framework pro pipeline, do código pro npm.
▼ TÁ COMPROMETIDO? RODA ISSO
Se instalou @tanstack/* no dia 11 de maio:
find node_modules/@tanstack -name "router_init.js"
Confirma com:
grep -r "voicproducoes\|79ac49eedf" node_modules/@tanstack/*/package.json
Se bateu: desativa o serviço gh-token-monitor PRIMEIRO, depois revoga os tokens (GitHub, npm, AWS, GCP, SSH, Kubernetes). A ordem importa, senão você toma rm -rf na home.
▼ AS 4 LINHAS DO .npmrc QUE TE SALVAM
ignore-scripts=true
min-release-age=7
allow-git=none
(+ lockfile com versão exata, sem ^ e sem ~)
━━━━━━━━━━━━━━━━━━━━
⚡ PATROCÍNIO — ChatLLM da Abacus
Em vez de pagar assinatura separada pro Claude, GPT, Gemini e DeepSeek, você tem mais de 100 modelos num lugar só, com um RouteLLM que escolhe o melhor pra cada pergunta. E tem o DeepAgent, que levanta PR, integra Stripe e faz pesquisa cruzada em cima de doc. Sete reais no primeiro mês.
👉 https://deepagent.abacus.ai/bvy
━━━━━━━━━━━━━━━━━━━━
⏱️ CAPÍTULOS
00:00 84 pacotes em 6 minutos
00:48 Que tamanho tem o TanStack
01:34 Por que virou o hype de 2026
03:08 Patrocínio: ChatLLM da Abacus
03:56 A crise de confiança absurda do npm
08:13 40 dias antes: o ataque ao Axios
10:26 O ataque ao TanStack: como foi por dentro
14:16 O selo SLSA que validou o veneno
15:47 O dead-man's switch (rm -rf na home)
16:56 Como se proteger (4 linhas no .npmrc)
19:04 A complexidade só mudou de lugar
⭐ Seja membro do canal: https://www.youtube.com/channel/UC1VZDEtGNxfQzh7EYcD2frg/join
📸 Instagram: https://instagram.com/manodeyvin
📌 Canal de cortes: https://www.youtube.com/@cortesdomanoofc
📚 FONTES (tudo citado no vídeo)
Postmortem oficial TanStack: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem
Snyk — TanStack npm packages comprometidos: https://snyk.io/blog/tanstack-npm-packages-compromised/
TanStack advisory no X: https://x.com/tan_stack/status/2053948103766716630
ReversingLabs 2026 Supply Chain Report (73%): https://www.reversinglabs.com/press-releases/reversinglabs-2026-software-supply-chain-security-report-identifies-73-increase-in-malicious-open-source-packages
Sonatype Q1 2026 Index: https://www.opensourceforu.com/2026/04/ci-cd-and-npm-face-open-source-trust-attack-surge-sonatype-q1-2026-index/
InfoQ — Axios npm comprometido: https://www.infoq.com/news/2026/04/axios-supply-chain/
Microsoft — Mitigação do Axios: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/
ThreatLocker — TeamPCP atinge TanStack: https://www.threatlocker.com/blog/teampcp-supply-chain-attack-hits-tanstack
Gigazine — efeito cascata: https://gigazine.net/gsc_news/en/20260512-tanstack-supply-chain-attack/
Cybernews — pacotes com milhões de downloads: https://cybernews.com/security/npm-packages-with-millions-downloads-compromised/
State of React 2025: https://2025.stateofreact.com/en-US/libraries/
T3Chat — por que migrei do Next.js: https://www.crazystack.com.br/2025-3/i-moved-off-of-nextjs
TanStack — 2 anos full-time OSS: https://tanstack.com/blog/tanstack-2-years
---------
📧 Precisa de recomendação de Pentesters / Devs Seniores? https://hiresenior.app
#tanstack #npm #segurança Receive SMS online on sms24.me
TubeReader video aggregator is a website that collects and organizes online videos from the YouTube source. Video aggregation is done for different purposes, and TubeReader take different approaches to achieve their purpose.
Our try to collect videos of high quality or interest for visitors to view; the collection may be made by editors or may be based on community votes.
Another method is to base the collection on those videos most viewed, either at the aggregator site or at various popular video hosting sites.
TubeReader site exists to allow users to collect their own sets of videos, for personal use as well as for browsing and viewing by others; TubeReader can develop online communities around video sharing.
Our site allow users to create a personalized video playlist, for personal use as well as for browsing and viewing by others.
@YouTubeReaderBot allows you to subscribe to Youtube channels.
By using @YouTubeReaderBot Bot you agree with YouTube Terms of Service.
Use the @YouTubeReaderBot telegram bot to be the first to be notified when new videos are released on your favorite channels.
Look for new videos or channels and share them with your friends.
You can start using our bot from this video, subscribe now to npm install não é mais seguro.
What is YouTube?
YouTube is a free video sharing website that makes it easy to watch online videos. You can even create and upload your own videos to share with others. Originally created in 2005, YouTube is now one of the most popular sites on the Web, with visitors watching around 6 billion hours of video every month.
