Mini Shai-Hulud-class npm hijacks live for 3-12 hours before takedown. pnpm 11.0 ships minimumReleaseAge=1440 (1 day) by default, Yarn 4.10 ships npmMinimalAgeGate=3d, npm v11.10 needs explicit min-release-age. Working .npmrc / pnpm-workspace.yaml / .yarnrc.yml configs and what breaks when ignore-scripts=true (esbuild, sharp, node-gyp, Cypress).
Composer 2.9.8/2.2.28 fix CVE-2026-45793: GitHub's new GITHUB_TOKEN includes hyphens that Composer's old regex rejects, leaking the token into CI logs as plaintext.
RubyGems.org halted new signups after DDoS and 500+ malicious gem uploads. Existing install/push unaffected — check lockfiles for gems added around May 12 2026.
TanStack npm compromise (42 pkgs / 84 versions, CVE-2026-45321 CVSS 9.6) on May 11, 2026 UTC spread across UiPath (60+), Mistral, OpenSearch, guardrails-ai, Checkmarx Jenkins. Covers token-revoke wipe ordering, first valid SLSA provenance on malicious npm, and Vect ransomware secondary wave (wiper, not real ransomware). Live tracking.
