On May 11, 2026, an attacker chained three GitHub Actions vulnerabilities to publish 84 malicious versions across 42 @tanstack/* npm packages. Developers who installed affected versions must immediately rotate all credentials.
Hacker News treated the Bitwarden CLI compromise as the sort of GitHub Actions failure that becomes far more serious when the package sits near secrets, tokens, and password-manager workflows. By crawl time on April 25, 2026, the thread had 855 points and 416 comments.
StepSecurity’s March 31, 2026 disclosure turned a pair of malicious axios releases into a high-priority ecosystem warning. The affected packages used a fake dependency and a postinstall path to deliver a cross-platform RAT dropper.