From 7ca1ac5ae4a309022e28c3fb8c7c33b2df48a588 Mon Sep 17 00:00:00 2001 From: Sam Date: Thu, 14 May 2026 04:47:48 +0000 Subject: [PATCH] Update npm-supply-chain-compromise-postmortem.md Fix errata. That release workflow was attempted four times. The last one, is couple of days after the PR commit is merged master by Sheraff. --- src/blog/npm-supply-chain-compromise-postmortem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/blog/npm-supply-chain-compromise-postmortem.md b/src/blog/npm-supply-chain-compromise-postmortem.md index c995f565..ac816499 100644 --- a/src/blog/npm-supply-chain-compromise-postmortem.md +++ b/src/blog/npm-supply-chain-compromise-postmortem.md @@ -56,7 +56,7 @@ All times UTC. Local timestamps from GitHub API and npm registry. | Time | Event | | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| 2026-05-11 19:15 | Manuel merges PR #7369 (Shkumbin's `CSS.supports` fix) → push to main triggers `release.yml`.

Workflow run `25613093674` starts (19:15:44), and fails. | +| 2026-05-11 19:15:44 | Sheraff triggers a workflow run for PR #7369 (Shkumbin's `CSS.supports` fix) → `release.yml` workflow run `25613093674` starts (19:15:44), and fails. | | 2026-05-11 19:20:39 | npm registry receives publish for `@tanstack/history@1.161.9` and 41 sibling packages (~84 versions across 42 packages, but only ~half show this exact second; the remainder come during run #2). Publish is authenticated via OIDC trusted-publisher binding for `TanStack/router release.yml@refs/heads/main` — but it does not come from the workflow's defined Publish Packages step, which was skipped because tests failed. It comes from the malware running during the test/cleanup phase, which mints an OIDC token via the workflow's `id-token: write` permission and POSTs directly to `registry.npmjs.org` | | 2026-05-11 19:20:47 | Run `25613093674` completes (status: failure) | | 2026-05-11 19:16 | Manuel merges PR #7382 (jiti tsconfig paths fix) → second push to main triggers `release.yml` |