Live threat — TanStack compromise · 11 May 2026 · 84 versions, 42 packages

Hardening npm, layer by layer.

A release cooldown buys you a detection window. It doesn't stop a payload from reading ~/.ssh/id_ed25519 at runtime, or phoning home over a legitimate messenger. Real protection is composed.

Toggle defenses. Watch which stages of a real attack they intercept. Decide how much friction your work can absorb.

Stack 0 layers
Coverage 0 / 8 stages
Friction none

I.Attack kill chain

Eight stages a poisoned package traverses to reach your secrets.

Each defense intercepts at a specific stage. Building a portfolio that covers multiple stages is what defense-in-depth actually means — not stacking up the strongest single layer.

Open Partial coverage Covered Where the attack is right now

Run a real attack against your stack

Status Pick an attack above. The red token will trace its stages — your covered layers will stop it where they can.

II.The layers

Eleven tiers, ordered by friction-to-value.

Tier 0 is where you are. Stack as many as your workflow can absorb. The single highest-leverage move after cooldown is moving off the npm CLI to pnpm — script allowlisting, exotic-subdep blocking, and downgrade detection have no npm-CLI equivalent.