A supply-chain attack was identified involving the unscoped npm package 'tanstack', which brand-squats the legitimate '@tanstack/*' organization. Versions 2.0.4 through 2.0.7 contain malicious postinstall scripts designed to silently exfiltrate environment variables and markdown files to an attacker-controlled Svix endpoint.