Heads Up on My Dev Tools

By now you have probably seen what happened on May 11. The TeamPCP group chained a GitHub Actions Pwn Request with cache poisoning and OIDC token extraction to push 84 malicious versions across 42 TanStack packages, and the worm spread from there to UiPath, Mistral AI, OpenSearch, and others. What made this one particularly alarming is that the malicious packages carried valid SLSA Build Level 3 provenance attestations, meaning the usual "check the signature" advice offered zero protection. Anyone who ran npm install on May 11 inside that window is advised to rotate every credential the build host could reach.

I own dev tools that people pull into their pipelines, and I have audited nothing yet. I am traveling right now with only my iPhone, and a real audit requires my full setup and full attention. Until I get back and go through everything properly, I am asking people to hold off on using my tools. If you proceed anyway, I have warned you, and I take no responsibility for what happens. The moment I am back and have completed the audit, I will post a full update here with a clear answer on where things stand.