A recent supply chain attack on TanStack has prompted the team to reconsider its open-contribution model, with a potential shift towards invitation-only pull requests. The breach exploited a vulnerability in GitHub Actions, leveraging the Shai-Hulud worm to extract secrets from memory. Specifically, the attack began with a malicious pull request that triggered an automatic workflow via TanStack's use of the pull_request_target feature, ultimately poisoning a dependency. In response, the TanStack team is weighing security measures, including restricted access to pull requests, to prevent similar incidents1. This move could have significant implications for the open-source community, as it may set a precedent for other projects to adopt more restrictive contribution models. The attack's success highlights the evolving nature of supply chain attacks, particularly in the DeFi space, so practitioners should be prepared for potential downstream regulatory and supply-chain effects.