TanStack NPM Supply-Chain Compromise: Full Postmortem Drops

Good morning and welcome to Builder's Briefing for May thirteenth, twenty twenty-six. I'm Alex, joined as always by Sam. We've got a packed show — a major npm supply-chain attack, AI being used offensively to find vulnerabilities, a spicy debate about whether Python still makes sense when AI writes your code, and GitLab making some big moves.

Yeah, it's a heavy security day. Let's get into it.

So our big story — TanStack just dropped a full postmortem on a supply-chain compromise that hit their npm packages. We're talking TanStack Query, Router, Table — some of the most depended-upon packages in the entire JavaScript ecosystem. An attacker managed to publish malicious versions to npm, so anyone who ran an install during that window could have pulled tainted code right into their build pipeline.

This is the one that makes your stomach drop. Like, statistically, if you're a JavaScript developer, you probably have TanStack somewhere in your dependency tree. This isn't some obscure package with twelve downloads a week — this is core infrastructure.

Exactly. And the postmortem is thorough — link in the briefing — but the actionable takeaway is: audit your lockfiles today. Make sure your pinned versions match known-good hashes. If you're not using integrity hashes in your lockfile, start now.

Right, and what's wild is this really accelerates the timeline on npm provenance checks. Things like Sigstore and npm provenance publishing — those were "nice to have" features six months ago. Now? I think they're table stakes. If you maintain packages, turn on provenance publishing. If you consume them, verify it in your CI.

And that ties directly into our next security story. Google confirmed that criminal hackers actually used AI tooling to discover a major software vulnerability. Not just writing phishing emails — we're talking AI-assisted vulnerability discovery.

That's a big shift. We've been hearing about AI for offense for a while, but this is Google saying, yeah, it happened, it worked. If you're building software and you're not running AI-assisted fuzzing or static analysis on your own code, your adversaries are literally ahead of you now.

Also in security — Instructure, the company behind Canvas, the learning management system — they paid a ransom after a breach. If you're in edtech or handling student data, your customers are going to be asking hard compliance questions.

Paying ransoms is always a rough look, especially when you're holding student data. That one's going to ripple through procurement conversations for a while.

Okay, let's shift to AI and models. The story that's got everyone arguing this week — "If AI writes your code, why use Python?" The argument is provocative but compelling: if LLMs handle the syntax, Python's ergonomics advantage basically evaporates, and you should be optimizing for runtime performance instead. Think Rust, Go, that kind of thing.

I have strong feelings about this one. There's real merit here. Like, the reason Python won was because humans could read and write it quickly. But if an LLM is generating the code and you're mostly reviewing it, why not generate Rust that runs ten times faster? The calculus genuinely is shifting if you're starting a new project today.

Counterpoint, though — you still need to debug it, maintain it, and reason about it. But yeah, for new AI-heavy projects, it's worth engaging with seriously. Also notable: Anthropic's Claude is now available as a full managed platform on AWS, not just through the Bedrock API. If you're already on AWS and building with Claude, this could simplify your deployment pretty significantly.

That's interesting because Bedrock has always felt like a lowest-common-denominator approach. A dedicated Claude platform on AWS could mean better latency, tighter integration, maybe better pricing. Worth looking into if you're in that ecosystem.

One more AI item — there's a fantastic interactive visual guide from Georgia Tech called Transformer Explainer. It walks you through transformer internals, attention mechanisms, embeddings, all of it. If you're onboarding engineers to an AI team, bookmark this immediately. Link in the briefing.

On the developer tools front — Python three fifteen is getting a built-in statistical profiler. A new sampling module right in the standard library. Low overhead, no third-party tools needed.

Finally! If you've ever tried to profile a production Python service, you know how painful it's been to bolt on third-party profilers. Having this in stdlib is huge, especially for profiling AI inference pipelines or API servers where you need low overhead.

And there's a great architecture guide from matklad — the rust-analyzer creator. It's a practical, opinionated guide to learning software architecture by actually building things, not just reading design pattern books. Really relevant if you're a senior dev leaning on AI for code generation but want to keep your architectural judgment sharp.

That resonates. Like, the more AI writes the code, the more your value as a senior engineer shifts to architectural decisions. If you're not exercising that muscle, you're slowly becoming replaceable.

Okay, quick industry news — GitLab announced layoffs and is retiring its famous CREDIT values framework. The CEO is calling it "Act Two." If you depend on GitLab's ecosystem, watch for product focus shifts. And if you're building competing dev tools, this might be a market opening.

Dropping the CREDIT values is symbolic. That was core to GitLab's identity as a transparent, remote-first company. When you rebrand your culture during layoffs, it signals a pretty fundamental strategic pivot. I'd keep an eye on their CI/CD and DevSecOps surface area — could contract.

Also, Jeff Geerling published a deep dive into Bambu Lab accused of abusing the open-source social contract — benefiting from open-source 3D printing work while locking down their own ecosystem. Great cautionary tale if you're building anything open-source-adjacent.

Quick hits to close us out: there's a gorgeous WebGL deep dive on rendering realistic skies and sunsets, a fun AI-built tool for diagnosing why you wake up at night, a "They Live"-inspired ad blocker that replaces ads with those Obey-style overlays — which is amazing — and eBay rejected GameStop's fifty-six billion dollar takeover bid, calling it not credible.

Wait, GameStop tried to buy eBay for fifty-six billion? That's the most GameStop thing I've ever heard. And I need that They Live ad blocker immediately.

So the big takeaway today: supply-chain security is not optional anymore. The TanStack compromise hit one of npm's most downloaded ecosystems, and attackers are using AI to find vulnerabilities faster than defenders can patch them. Lock down your CI with provenance verification, pin exact versions, run npm audit signatures — do it today.

And if you're starting a new project, seriously engage with the question of whether Python is still the right default. When AI handles the syntax, optimize for runtime performance and maintainability, not just developer ergonomics.

That's your Builder's Briefing for May thirteenth. All the links are in the show notes. Stay secure out there, and we'll see you tomorrow.

Go audit those lockfiles. See you next time.