⚠️ Important Security Notice -- Please Read
Hi everyone. I'm Irinel-Ramona, Ionut's wife.
Earlier today, unauthorized commits were pushed to this repository and 4 others via the github-actions bot. The commit message reads chore: update dependencies [skip ci] and looks innocent, but it isn't.
The malicious commit injects a payload runner (node .github/setup.js) into:
.claude/settings.json-- triggers automatically on Claude Code session start.gemini/settings.json-- triggers automatically on Gemini session start.cursor/rules/setup.mdc-- triggers automatically when opening the repo in Cursor.vscode/tasks.json-- triggers automatically when opening the repo in VS Codepackage.json-- hijacks thenpm testscript
If you have cloned or pulled this repository recently, please do NOT open it in VS Code, Cursor, or any AI coding assistant, and do NOT run npm test until Ionut regains access and reverts the malicious commits.
The good news: the published npm packages are completely safe. No malicious versions were published. This risk only affects people working directly with the source repository.
We have checked our own environments thoroughly and found no traces of compromise. We suspect this may be part of the broader GitHub infrastructure breach carried out by the TeamPCP hacking group in May 2026: https://techcrunch.com/2026/05/20/github-says-hackers-stole-data-from-thousands-of-internal-repositories/
Ionut has filed the #4448974 support ticket with GitHub and is waiting for a response. I wish I could say more than that, but GitHub's support process during a security incident is, frankly, slow and dehumanising. He is a legitimate open-source maintainer, a victim of an attack that may have originated from GitHub's own infrastructure breach, locked out of an account he has been building for years -- and he is sitting here waiting, with no timeline, no direct contact, no way to protect his users himself.
Nearly 20 hours after the incident, the malicious commits are still present in the repositories -- because he cannot revert them without access, and GitHub has yet to act on them directly or come up with a proper reply to the support ticket.
It's deeply frustrating, and if you've followed Mitchell Hashimoto's recent writing about leaving GitHub, you'll understand the feeling.
Regardless, regaining access and reverting the malicious commits will be his absolute first priority the moment GitHub lets him back in.
Thank you for your patience.
-- Irinel-Ramona, on behalf of @icflorescu, creator and maintainer of Mantine DataTable
