welcome web developers, i made a npm package to detect automatically bugs in your front end called "layout-canari".
99% of you reading will say "yeah man skip him hes prob marketing a malware"
so i published the files in github to be opensource
i would be appreciating anyone finding bugs and give me enhancements
https://github.com/helpmastr/layout-canary
(i wish if you can star it)
thanks developers!
Mini Shai-Hulud has yet again reportedly compromised 160+ packages, including parts of the TanStack and Mistral ecosystems. The interesting part is the attack path: instead of simple typosquatting, it abused GitHub Actions cache poisoning and trusted publishing/OIDC workflows, making the malicious packages appear legitimately built and published.
Summary:
A recent npm supply-chain incident affected multiple u/tanstack/* packages. Malicious versions were published to npm, and the payload reportedly executed during install.
The main risk is not only runtime usage. If a developer machine or CI runner installed an affected version, secrets available to the install process may have been exposed.
Reported targets included:
- cloud credentials
- GitHub tokens
- npm tokens
- SSH keys
- CI/deployment secrets
Practical things to check:
- lockfile versions for u/tanstack/*
- npm/pnpm/yarn install logs
- package manager cache
- CI runs during the affected publish window
- GitHub/npm/cloud audit logs
- whether lifecycle scripts were enabled during install
For affected environments, the safer assumption is that exposed credentials should be rotated and dependencies should be reinstalled from a clean lockfile after moving to patched versions.
Primary advisory:
https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx
Public tracking issue:
https://github.com/TanStack/router/issues/7383
I also maintain NPMScan and put the affected versions, IOCs, and mitigation notes into one page here:
https://npmscan.com/vulnerability/GHSA-g7cv-rxg3-hmpx
Recent npm vulnerability feed:
https://npmscan.com/latest-vulnerabilities
The bigger question: should Node.js CI pipelines disable install scripts by default, or is that still too impractical for real projects?
npm supply chain attacks are no longer “theoretical”.
TanStack. Axios. Trivy. Bitwarden. SAP. Intercom.
Attackers are abusing:
We built an AI-assisted hunting pipeline to detect the behavioral kill chain behind these attacks instead of chasing IOC crumbs.
Real queries. Real telemetry pitfalls. Real lessons learned.
Every time I built a skeleton loader, it was the same pain: copy the card, replace content with grey boxes, tweak padding after every design change, watch all the shimmer animations run out of sync like a broken disco floor.
So I built shimmer-trace, a React library that wraps your real component and automatically traces the shape of every element to generate a perfectly matched skeleton. One wrapper, zero hand-drawn boxes.
<Shimmer loading={isLoading}>
<UserCard user={user} />
</Shimmer>
That's literally it. No <SkeletonCard />. No fake grey divs.
The “Mini Shai-Hulud” npm attack feels like a turning point for AI-assisted development and vibe coding.
A lot of developers now rely on AI agents, rapid scaffolding, and quick npm installs without deeply auditing dependencies. But this attack reportedly compromised trusted package publishing itself and targeted CI/CD secrets.
If trusted packages can temporarily become malicious, are we entering a phase where local AI coding workflows become a major supply-chain attack surface?
Curious how other developers are adapting:
npx?Especially interested in hearing from people using AI-assisted coding heavily.
I noticed almost every backend project I start begins with the same repetitive setup:
After doing this repeatedly across projects, I made a small local CLI for myself that generates a backend starter with all of this already structured.
https://www.npmjs.com/package/create-api-lite
Currently supports:
The main thing I cared about was generating code that still feels readable and maintainable later instead of giant boilerplate dumps.
Would genuinely like feedback from backend devs on whether this workflow is useful or not.
(terminal demo attached)
