On 11 May 2026, between 19:20 and 19:26 UTC, someone published 84 malicious versions across 42 @tanstack/* npm packages. Six minutes, start to finish. @tanstack/react-router alone pulls north of 12 million weekly downloads, so the blast radius

AI Agent Governance Security MCP