TanStack Devtools version
v0.11.2
Framework/Library version
react v19.2.5
Describe the bug and the steps to reproduce it
We use some tanstack components but believe that our versions were locked to versions prior the compromised versions.
Having said that, while doing some research I noticed that our ci tests had been failing since 2026-05-06 07:30:00 UTC because of a missing @tanstack/devtools-vite package.
The successful run immediately prior to that was at 2026-05-06 07:04:00 UTC.
I assumed that our test failures we caused by a response to attack reported on 2026-05-11 but the fact that they predated by 5 days may be relevant to your compromise analysis iff the missing package as a side-effect of the malicious actors prior actions. If the malicious actor was responsible for the missing package, then these two timestamps might be useful to review.
static | 127.0.0.1 - - [06/May/2026:07:30:38 +0000] "GET /atlas/ HTTP/1.1" 200 1898 "-" "curl/8.14.1" "-"
cx | ╭─[ vite.config.ts:2:26 ]
static | 127.0.0.1 - - [06/May/2026:07:30:43 +0000] "GET /atlas/ HTTP/1.1" 200 1898 "-" "curl/8.14.1" "-"
cx | │
cx | 2 │ import *** devtools *** from "@tanstack/devtools-vite";
cx | │ ────────────┬────────────
cx | │ ╰────────────── Module not found, treating it as an external dependency
cx | ───╯
cx |
cx | vite.config.ts (4:31) [UNRESOLVED_IMPORT] Warning: Could not resolve '@tanstack/router-plugin/vite' in vite.config.ts
cx | ╭─[ vite.config.ts:4:32 ]
cx | │
mail | time="2026/05/06 17:29:47" level=debug msg="[db] applied schema: 1.23.0.sql"
Your Minimal, Reproducible Example - (Sandbox Highly Recommended)
Please read text, reclassify as necessary
Screenshots or Videos (Optional)
No response
Do you intend to try to help solve this bug with your own PR?
None
Terms & Code of Conduct
TanStack Devtools version
v0.11.2
Framework/Library version
react v19.2.5
Describe the bug and the steps to reproduce it
We use some tanstack components but believe that our versions were locked to versions prior the compromised versions.
Having said that, while doing some research I noticed that our ci tests had been failing since 2026-05-06 07:30:00 UTC because of a missing @tanstack/devtools-vite package.
The successful run immediately prior to that was at 2026-05-06 07:04:00 UTC.
I assumed that our test failures we caused by a response to attack reported on 2026-05-11 but the fact that they predated by 5 days may be relevant to your compromise analysis iff the missing package as a side-effect of the malicious actors prior actions. If the malicious actor was responsible for the missing package, then these two timestamps might be useful to review.
Your Minimal, Reproducible Example - (Sandbox Highly Recommended)
Please read text, reclassify as necessary
Screenshots or Videos (Optional)
No response
Do you intend to try to help solve this bug with your own PR?
None
Terms & Code of Conduct