Honestly, it's exhausting to wake up and find out there's yet another attack on the npm ecosystem. Socket shared via social media that they identified compromised packages — some of them were TanStack. Why are attackers so obsessed with npm? Seriously, can you stop already? If you still use npm and haven't disabled post-scripts, you're in serious danger. Go and disable that right now. Start using pnpm. Version 11 disables this functionality by default. Of course, some packages still need post-scripts, and in those cases you should manually review and authorize them. Also, there are tools you can use before installing a package: Socket's sfw and npq. Hope this helps.