# 1004: TanHacked Page: https://stenobird.com/podcast/syntax-tasty-web-development-treats/1004-tanhacked Text version: https://stenobird.com/podcast/syntax-tasty-web-development-treats/1004-tanhacked.md Podcast: [Syntax - Tasty Web Development Treats](https://stenobird.com/podcast/syntax-tasty-web-development-treats) Published: 2026-05-13T11:00:00+00:00 Episode link: https://syntax.fm/1004 Audio file: https://traffic.megaphone.fm/FSI1796633736.mp3 Processing state: not_requested JSON: https://stenobird.com/v1/public/podcasts/syntax-tasty-web-development-treats/episodes/1004-tanhacked Duration seconds: 1396 ## Resource Scott and Wes break down the “Mini Shai-Hulud” supply chain attack that compromised TanStack and other popular npm packages through a clever GitHub Actions cache poisoning exploit; a self-propagating worm that stole credentials and persisted through Claude Code hooks and VS Code tasks. They also cover how developers can protect themselves using pnpm’s security defaults, dev containers, and other practical defenses. Show Notes 00:00 Welcome to Syntax! 00:25 Understanding the Shai-Hulud Worm Post Mortem of Shai Hulud Attack 02:47 Mechanics of the Attack: GitHub Actions and Cache How the attack happened Who Was Involved in the Attack Several npm latest releases are compromised Socket.dev Step Security 05:44 Brought to you by Sentry.io 06:09 Propagation and Impact of the Worm 09:30 Preventative Measures for Developers Dead Man’s Switch 12:33 The Role of Package Managers in Security Block Exotic Subdeps 18:39 Using Dev Containers Why You Should Use Dev Containers Scott Tolinski’s Security Review 20:57 Conclusion and Final Thoughts Sentry has Skills! Hit us up on Socials! Syntax: X Instagram Tiktok LinkedIn Threads Wes: X Instagram Tiktok LinkedIn Threads Scott: X Instagram Tiktok LinkedIn Threads Randy: X Instagram YouTube Threads ## Actions - request_transcript: `POST https://stenobird.com/v1/public/podcasts/syntax-tasty-web-development-treats/episodes/1004-tanhacked/transcription-requests` — Idempotently request low-priority transcript generation for this episode. - read_markdown: `GET https://stenobird.com/podcast/syntax-tasty-web-development-treats/1004-tanhacked.md` — Read the agent-friendly Markdown representation of this episode resource. A page view does not enqueue transcription. Agents should invoke `request_transcript` explicitly when they need this episode processed. ## Transcript Full transcripts are not published on public pages unless there is a clear rights basis.