June 5, 2026
Push, pull, panic
Mantine-datatable (and others) compromised – owner account suspended
Hackers hit a code project, then GitHub locked out the owner and left users fuming
TLDR: A code project was secretly altered with harmful instructions, but the owner was locked out before he could fix it, leaving users at risk if they opened the source files. Commenters are furious at GitHub, saying the real scandal is not just the attack but how slowly and badly the response unfolded.
Open-source drama does not get much messier than this: a popular code project was quietly tampered with, the owner’s account was suspended, and the person forced to break the news was his wife posting a public warning while everyone waited for GitHub to do… well, anything. The scary part is that the bad code was hidden in places many developers would open automatically, meaning people could get burned just by opening the project in common coding apps. The reassuring part: the downloadable package people install normally was not poisoned.
But the real fireworks were in the comments, where the crowd absolutely unloaded on GitHub. One viral summary basically accused the platform of causing the fire and then handcuffing the homeowner. That mood dominated the thread: outrage, disbelief, and a lot of "how is this the response during a security emergency?" energy. Others went from anger to full detective mode, with commenters claiming the hidden program looked like an information thief hunting for account keys and cloud credentials.
Then came the panic-meets-dark-humor phase. One commenter linked it to a broader wave of attacks; another dropped in like a movie hero saying their team was already building an "antiworm" because a customer had been hit. The vibe was equal parts cyber-thriller, support-group meltdown, and "guess we’re all rotating passwords tonight." In short: people aren’t just worried about the hack—they’re furious about the lockout, the delay, and the feeling that users were left to crowdsource their own rescue.
Key Points
- •A security notice said unauthorized commits were pushed to mantine-datatable and four other repositories via the github-actions bot.
- •The malicious commit used the message `chore: update dependencies [skip ci]` and injected `node .github/setup.js` into multiple files that could auto-trigger in developer tools.
- •Users were warned not to open recently pulled repositories in VS Code, Cursor, Claude Code, Gemini, or run `npm test` until the changes are reverted.
- •The notice stated that published npm packages were safe and that no malicious package versions had been released.
- •The maintainer’s GitHub account was suspended, a support ticket was filed, and the malicious commits were still present nearly 20 hours later because he could not revert them.