In this episode of Bad Dependencies, we dive into the "wormy" chaos of the latest supply chain attack hitting the JavaScript ecosystem. Join researcher Charlie Eriksen as he breaks down how the threat actor group TeamPCP compromised the widely-used TanStack ecosystem and successfully pivoted into Mistral AI. We explore the technical "perfection" of this attack: a lethal combination of pull_request_target misconfigurations, GitHub Actions cache poisoning, and OIDC signature abuse. Charlie also sheds light on a terrifying new trend, the attackers have open-sourced their worm, complete with a "dead man's switch" designed to wipe infected machines if credentials are revoked.