{"id":22021,"date":"2026-05-12T22:15:58","date_gmt":"2026-05-12T13:15:58","guid":{"rendered":"https:\/\/jore2.com\/community-8589-postmortem-tanstack-npm-supply-chain-compromise\/"},"modified":"2026-05-12T22:15:58","modified_gmt":"2026-05-12T13:15:58","slug":"community-8589-postmortem-tanstack-npm-supply-chain-compromise","status":"publish","type":"post","link":"https:\/\/jore2.com\/?p=22021","title":{"rendered":"TanStack \uc758 NPM \uacf5\uae09\ub9dd \uce68\uacf5: CI \ud30c\uc774\ud504\ub77c\uc778\uc758 \uc2e0\ub8b0\uac00 \ubb34\ub108\uc9c4 6 \ubd84"},"content":{"rendered":"<div class=\"jore2-editor-byline\">\n<p><strong>\ubc15\uc11c\uc724<\/strong><\/p>\n<\/div>\n<p>\uc804 \uc138\uacc4 \uac1c\ubc1c\uc790 \ucee4\ubba4\ub2c8\ud2f0\uac00 \ud55c\uc21c\uac04\uc5d0 \uae34\uc7a5\ud55c \uc774\uc720\ub294 \ub2e8\uc21c\ud55c \ud328\ud0a4\uc9c0 \uc5c5\ub370\uc774\ud2b8\uac00 \uc544\ub2c8\uc5c8\uc2b5\ub2c8\ub2e4. 2026 \ub144 5 \uc6d4 11 \uc77c, TanStack \uc758 42 \uac1c npm \ud328\ud0a4\uc9c0\uac00 \ub2e8 6 \ubd84\uc774\ub77c\ub294 \uc9e7\uc740 \uc2dc\uac04 \ub3d9\uc548 84 \uac1c\uc758 \uc545\uc131 \ubc84\uc804\uc73c\ub85c \ub36e\uc5ec\ubc84\ub9b0 \uc0ac\uac74\uc774 \ubc1c\uc0dd\ud588\uc2b5\ub2c8\ub2e4. \uc774 \uc0ac\ud0dc\uac00 \uc8fc\ubaa9\ubc1b\ub294 \ud575\uc2ec\uc740 \uacf5\uaca9\uc790\uac00 npm \ub4f1\ub85d\uc5d0 \uc0ac\uc6a9\ub418\ub294 \ud1a0\ud070\uc744 \ud6d4\uce5c \uac83\uc774 \uc544\ub2c8\ub77c, CI \ud30c\uc774\ud504\ub77c\uc778 \uc2e4\ud589 \uc911 \ub7f0\ud0c0\uc784 \uba54\ubaa8\ub9ac\uc5d0 \ub0a8\uc544 \uc788\ub358 OIDC \ud1a0\ud070\uc744 \ucd94\ucd9c\ud574\ub0c8\ub2e4\ub294 \uc810\uc785\ub2c8\ub2e4. \uc774\ub294 \uae30\uc874\uc758 \ubcf4\uc548 \uc0c1\uc2dd, \uc989 &#8216;\ub85c\uceec \ud1a0\ud070 \uad00\ub9ac&#8217;\uc640 &#8216;Trusted Publishing&#8217;\uc758 \uacbd\uacc4\ub97c \ud5c8\ubb34\ub294 \uc0c8\ub85c\uc6b4 \ud615\ud0dc\uc758 \uacf5\uae09\ub9dd \uacf5\uaca9\uc744 \ubcf4\uc5ec\uc90d\ub2c8\ub2e4.<\/p>\n<p>\uacf5\uaca9\uc758 \uba54\ucee4\ub2c8\uc998\uc740 \ub9e4\uc6b0 \uc815\uad50\ud558\uac8c \uc124\uacc4\ub418\uc5b4 \uc788\uc5c8\uc2b5\ub2c8\ub2e4. \uacf5\uaca9\uc790\ub294 pull_request_target \ud328\ud134\uc744 \uc774\uc6a9\ud574 \ud3ec\ud06c\ub41c \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac\uc640 \ubca0\uc774\uc2a4 \ub9ac\ud3ec\uc9c0\ud1a0\ub9ac \uac04\uc758 \uc2e0\ub8b0 \uad00\uacc4\ub97c \uc545\uc6a9\ud588\uc2b5\ub2c8\ub2e4. \uc5ec\uae30\uc5d0 GitHub Actions \uc758 \uce90\uc2dc \uc624\uc5fc \uae30\ubc95\uc744 \uacb0\ud569\ud574, \ubcf8\ub798\ub294 \uc548\uc804\ud574\uc57c \ud560 \uba54\uc778 \ube0c\ub79c\uce58\uc758 \ube4c\ub4dc \ud658\uacbd\uc5d0 \uc545\uc131 \ucf54\ub4dc\ub97c \uc8fc\uc785\ud588\uc2b5\ub2c8\ub2e4. \uc774 \uacfc\uc815\uc5d0\uc11c npm \ud1a0\ud070 \uc790\uccb4\uac00 \ud0c8\ucde8\ub41c \uac83\uc774 \uc544\ub2c8\ub77c, \ube4c\ub4dc \uc11c\ubc84\uac00 \uc2e4\ud589\ub418\ub294 \ub3d9\uc548 \uba54\ubaa8\ub9ac\uc5d0 \uc77c\uc2dc\uc801\uc73c\ub85c \uc874\uc7ac\ud558\ub358 \uc778\uc99d \uc815\ubcf4\ub97c \uc77d\uc5b4\ub0b4\uc5b4 \uc545\uc131 \ubc84\uc804\uc744 \ubc30\ud3ec\ud588\uc2b5\ub2c8\ub2e4. \uacb0\uacfc\uc801\uc73c\ub85c npm \ud1a0\ud070\uc740 \ubb34\uc0ac\ud588\uc9c0\ub9cc, CI \ud658\uacbd \ub0b4\ubd80\uc5d0\uc11c \uc2e4\ud589\ub418\ub294 \uc2a4\ud06c\ub9bd\ud2b8\uac00 2.3MB \ud06c\uae30\uc758 \ub09c\ub3c5\ud654\ub41c \ud30c\uc77c\uc744 \uc2e4\ud589\ud558\uba70 AWS, GCP, \ucfe0\ubc84\ub124\ud2f0\uc2a4 \ub4f1 \uc678\ubd80 \ud074\ub77c\uc6b0\ub4dc \uc790\uaca9 \uc99d\uba85\uc744 \uc218\uc9d1\ud574\uac00\ub294 \uad6c\uc870\uc600\uc2b5\ub2c8\ub2e4.<\/p>\n<p>\uc774 \uc0ac\uac74\uc740 \uac1c\ubc1c\uc790\ub4e4\uc774 CI \ud30c\uc774\ud504\ub77c\uc778\uc744 \ub2e8\uc21c\ud55c \uc790\ub3d9\ud654 \ub3c4\uad6c\uac00 \uc544\ub2cc, \ubcf5\uc7a1\ud55c \uc2e0\ub8b0\uc758 \uc0ac\uc2ac\ub85c \uc778\uc2dd\ud574\uc57c \ud568\uc744 \uc77c\uae68\uc6e0\uc2b5\ub2c8\ub2e4. \ud2b9\ud788 YAML \ud30c\uc77c\ub85c \uad6c\uc131\ub41c \uc124\uc815\uc774 \uc2e4\uc81c \ub514\ub809\ud1a0\ub9ac \uad6c\uc870\uc640 \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc5d0 \uc5b4\ub5bb\uac8c \uc601\ud5a5\uc744 \ubbf8\uce58\ub294\uc9c0 \uc774\ud574\ud558\uc9c0 \ubabb\ud55c \ucc44 \uc0ac\uc6a9\ud558\ub294 \uacbd\uc6b0, \ud3ec\ud06c\ub41c PR \uc774 \uba54\uc778 \ube0c\ub79c\uce58\uc758 \uce90\uc2dc\ub97c \uc624\uc5fc\uc2dc\ud0a4\ub294 &#8216;\uc720\ub839&#8217; \uac19\uc740 \uacf5\uaca9\uc5d0 \ub178\ucd9c\ub420 \uc218 \uc788\uc74c\uc744 \ubcf4\uc5ec\uc90d\ub2c8\ub2e4. \ucee4\ubba4\ub2c8\ud2f0\uc5d0\uc11c\ub294 \uc774\ub7ec\ud55c \ubcf5\uc7a1\uc131\uc744 \uc904\uc774\uae30 \uc704\ud574 \uacfc\uac70\uc758 \ubc14\uc2a4\ud06c\ub9bd\ud2b8 \ubc29\uc2dd\ucc98\ub7fc \uc9c1\uad00\uc801\uc778 \ud30c\uc774\ud504\ub77c\uc778 \uad00\ub9ac\ub85c \ud68c\uadc0\ud574\uc57c \ud55c\ub2e4\ub294 \uc758\uacac\uc774 \ud798\uc744 \uc5bb\uace0 \uc788\uc73c\uba70, Trusted Publishing \ub9cc\uc73c\ub85c\ub294 CI \ub0b4\ubd80\uc758 \uacf5\uaca9\uc790\ub97c \uc644\uc804\ud788 \ub9c9\uc744 \uc218 \uc5c6\ub2e4\ub294 \uacbd\uac01\uc2ec\uc774 \ud655\uc0b0\ub418\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n<p>\ud604\uc7ac TanStack \uce21\uc740 \ubaa8\ub4e0 \uc545\uc131 \ubc84\uc804\uc744 \ud3d0\uae30\ud558\uace0 npm \ub808\uc9c0\uc2a4\ud2b8\ub9ac\uc5d0\uc11c \ud0c0\ub974\ubcfc\uc744 \uc81c\uac70\ud558\ub294 \uc791\uc5c5\uc744 \uc9c4\ud589 \uc911\uc785\ub2c8\ub2e4. \ud558\uc9c0\ub9cc \uc774 \uc0ac\ud0dc\uc758 \uc5ec\ud30c\ub294 \ub2e8\uc21c\ud788 \ud328\ud0a4\uc9c0 \uc218\uc815\uc744 \ub118\uc5b4\uc12d\ub2c8\ub2e4. 5 \uc6d4 11 \uc77c \ud574\ub2f9 \ubc84\uc804\uc744 \uc124\uce58\ud55c \ud658\uacbd\uc5d0 \uc788\ub294 \uac1c\ubc1c\uc790\ub4e4\uc740 AWS, GCP, GitHub, SSH \ub4f1 \uc811\uadfc \uac00\ub2a5\ud55c \ubaa8\ub4e0 \uc790\uaca9 \uc99d\uba85\uc744 \ud68c\uc804\uc2dc\ucf1c\uc57c \ud55c\ub2e4\ub294 \uad8c\uace0\ub97c \ubc1b\uace0 \uc788\uc2b5\ub2c8\ub2e4. \uc55e\uc73c\ub85c\ub294 CI \ud30c\uc774\ud504\ub77c\uc778\uc758 \uc2e0\ub8b0 \uacbd\uacc4\ub97c \uc5b4\ub5bb\uac8c \uc124\uc815\ud560\uc9c0, \uadf8\ub9ac\uace0 \uba54\ubaa8\ub9ac \uae30\ubc18\uc758 \ud1a0\ud070 \ucd94\ucd9c \uacf5\uaca9\uc5d0 \ub300\ube44\ud55c \ubcf4\uc548 \uc804\ub7b5\uc744 \uc5b4\ub5bb\uac8c \uc218\ub9bd\ud560\uc9c0\uac00 \uac1c\ubc1c \uc0dd\ud0dc\uacc4\uc758 \uc0c8\ub85c\uc6b4 \ud654\ub450\uac00 \ub420 \uac83\uc785\ub2c8\ub2e4.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\ub2e8 6 \ubd84 \ub9cc\uc5d0 42 \uac1c \ud328\ud0a4\uc9c0, 84 \uac1c\uc758 \uc545\uc131 \ubc84\uc804\uc774 \ud37c\uc838\ub098\uac04 TanStack \uc758 \uacf5\uae09\ub9dd \uce68\ud574 \uc0ac\ud0dc. npm \ud1a0\ud070 \ud0c8\ucde8\uac00 \uc544\ub2cc CI \ub7f0\ud0c0\uc784 \uba54\ubaa8\ub9ac\uc5d0\uc11c OIDC \ud1a0\ud070\uc744 \ucd94\ucd9c\ud55c \uc815\uad50\ud55c \uacf5\uaca9 \ubc29\uc2dd\uc774 \uac1c\ubc1c\uc790 \ucee4\ubba4\ub2c8\ud2f0\ub97c \ub728\uac81\uac8c \ub2ec\uad6c\uace0 \uc788\uc2b5\ub2c8\ub2e4.<\/p>\n","protected":false},"author":6,"featured_media":22020,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[406],"tags":[8240,16796,16797,16795,16798],"class_list":["post-22021","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-406","tag-ci","tag-npm","tag-oidc","tag-tanstack","tag-16798"],"featured_image_urls":{"full":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise.png",1200,600,false],"thumbnail":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-150x150.png",150,150,true],"medium":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-300x150.png",300,150,true],"medium_large":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-768x384.png",640,320,true],"large":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-1024x512.png",640,320,true],"1536x1536":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise.png",1200,600,false],"2048x2048":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise.png",1200,600,false],"morenews-large":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-825x575.png",825,575,true],"morenews-medium":["https:\/\/jore2.com\/wp-content\/uploads\/2026\/05\/community-8589-postmortem-tanstack-npm-supply-chain-compromise-590x410.png",590,410,true]},"author_info":{"info":["\ubc15\uc11c\uc724"]},"category_info":"<a href=\"https:\/\/jore2.com\/?cat=406\" rel=\"category\">\uc694\uc998\ub728\ub294\uc18c\uc2dd<\/a>","tag_info":"\uc694\uc998\ub728\ub294\uc18c\uc2dd","comment_count":"0","_links":{"self":[{"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/posts\/22021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/jore2.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=22021"}],"version-history":[{"count":0,"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/posts\/22021\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jore2.com\/index.php?rest_route=\/wp\/v2\/media\/22020"}],"wp:attachment":[{"href":"https:\/\/jore2.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=22021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jore2.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=22021"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jore2.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=22021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}