Skip to content

Create - (1004 - TanHacked.md) #2206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
randyrektor merged 1 commit into from
May 12, 2026
Merged

Create - (1004 - TanHacked.md) #2206

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions shows/1004 - TanHacked.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
---
number: 1004
title: TanHacked
date: 1778670000000
url: https://traffic.megaphone.fm/FSI1796633736.mp3
youtube_url: https://www.youtube.com/watch?v=kYqpxJE4DyE
---

Scott and Wes break down the "Mini Shai-Hulud" supply chain attack that compromised TanStack and other popular npm packages through a clever GitHub Actions cache poisoning exploit; a self-propagating worm that stole credentials and persisted through Claude Code hooks and VS Code tasks. They also cover how developers can protect themselves using pnpm's security defaults, dev containers, and other practical defenses.

### Show Notes

* **[00:00](#t=00:00)** Welcome to Syntax!
* **[00:25](#t=00:25)** Understanding the [Shai-Hulud Worm](https://www.wiz.io/blog/shai-hulud-npm-supply-chain-attack)
* [Post Mortem of Shai Hulud Attack](https://posthog.com/blog/nov-24-shai-hulud-attack-post-mortem)
* **[02:47](#t=02:47)** Mechanics of the Attack: GitHub Actions and Cache
* [How the attack happened](https://x.com/sebastienlorber/status/2054108973352038618?s=20)
* [Who Was Involved in the Attack](https://x.com/hetmehtaa/status/2054158511073116266)
* [Several npm latest releases are compromised](https://github.com/TanStack/router/issues/7383#issuecomment-4424629798)
* [Socket.dev](https://socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack)
* [Step Security](https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem)
* **[05:44](#t=05:44)** Brought to you by [Sentry.io](https://sentry.io/syntax)
* **[06:09](#t=06:09)** Propagation and Impact of the Worm
* **[09:30](#t=09:30)** Preventative Measures for Developers
* [Dead Man’s Switch](https://x.com/dabit3/status/2053956743621648789)
* **[12:33](#t=12:33)** The Role of Package Managers in Security
* [Block Exotic Subdeps](https://pnpm.io/settings#blockexoticsubdeps)
* **[18:39](#t=18:39)** Using Dev Containers
* [Why You Should Use Dev Containers](https://www.youtube.com/watch?v=kPMA9cnpScU)
* [Scott Tolinski’s Security Review](https://github.com/stolinski/s-stack/tree/main/skills/security-review)
* **[20:57](#t=20:57)** Conclusion and Final Thoughts
* [Sentry has Skills!](https://github.com/getsentry/skills)

### Hit us up on Socials!

Syntax: [X](https://twitter.com/syntaxfm) [Instagram](https://www.instagram.com/syntax_fm/) [Tiktok](https://www.tiktok.com/@syntaxfm) [LinkedIn](https://www.linkedin.com/company/96077407/admin/feed/posts/) [Threads](https://www.threads.net/@syntax_fm)

Wes: [X](https://twitter.com/wesbos) [Instagram](https://www.instagram.com/wesbos/) [Tiktok](https://www.tiktok.com/@wesbos) [LinkedIn](https://www.linkedin.com/in/wesbos/) [Threads](https://www.threads.net/@wesbos)

Scott: [X](https://twitter.com/stolinski) [Instagram](https://www.instagram.com/stolinski/) [Tiktok](https://www.tiktok.com/@stolinski) [LinkedIn](https://www.linkedin.com/in/stolinski/) [Threads](https://www.threads.net/@stolinski)

Randy: [X](https://twitter.com/randyrektor) [Instagram](https://www.instagram.com/randyrektor/) [YouTube](https://www.youtube.com/@randyrektor) [Threads](https://www.threads.net/@randyrektor)
Loading