Update npm-supply-chain-compromise-postmortem.md

sgpinkus · web-flow · commit b42989fd324d · 2026-05-14T04:12:41.000Z
Fix errata. That release workflow was attempted four times. The last one, is couple of days after the PR commit is merged master by Sheraff.
diff --git a/src/blog/npm-supply-chain-compromise-postmortem.md b/src/blog/npm-supply-chain-compromise-postmortem.md
@@ -56,7 +56,7 @@ All times UTC. Local timestamps from GitHub API and npm registry.
 
 | Time                | Event                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
 | ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 2026-05-11 19:15    | Manuel merges PR #7369 (Shkumbin's `CSS.supports` fix) → push to main triggers `release.yml`.<br><br>Workflow run `25613093674` starts (19:15:44), and fails.                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+| 2026-05-11 19:15    | Sheraff triggers a workflow run for PR #7369 (Shkumbin's `CSS.supports` fix) → `release.yml` workflow run `25613093674` starts (19:15:44), and fails.                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | 2026-05-11 19:20:39 | npm registry receives publish for `@tanstack/history@1.161.9` and 41 sibling packages (~84 versions across 42 packages, but only ~half show this exact second; the remainder come during run #2). Publish is authenticated via OIDC trusted-publisher binding for `TanStack/router release.yml@refs/heads/main` — but it does not come from the workflow's defined Publish Packages step, which was skipped because tests failed. It comes from the malware running during the test/cleanup phase, which mints an OIDC token via the workflow's `id-token: write` permission and POSTs directly to `registry.npmjs.org` |
 | 2026-05-11 19:20:47 | Run `25613093674` completes (status: failure)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | 2026-05-11 19:16    | Manuel merges PR #7382 (jiti tsconfig paths fix) → second push to main triggers `release.yml`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
