Massive npm and PyPI Supply Chain Attack Hits Mistral AI, TanStack Router, and Dozens of Other Libraries
TeamPCP compromised 170+ npm/PyPI packages in hours, hitting Mistral AI SDK and TanStack Router via exploited GitHub Actions, with worm-like malware stealing credentials.
Fbhchile · Cybersecurity
Breaking: 170+ Packages Compromised in Hours
A sophisticated supply chain attack orchestrated by the TeamPCP threat group has compromised over 170 packages on npm and PyPI within hours on May 11. Widely-used libraries including Mistral AI's SDK suite and the entire TanStack Router ecosystem (@tanstack) of 42 packages were hit.
Source: www.infoworld.com
The attack rapidly spread through package ecosystems due to the worm capabilities of the automated Mini Shai-Hulud malware platform, analysis found. Security vendors including Aikido Security and SafeDep detected the compromise via automated security tools.
Affected Packages
TanStack Router (@tanstack) – 42 packages, popular among React developers
Mistral AI SDK – compromised on both npm and PyPI
Guardrails AI PyPI package
@squawk – 87 packages
@uipath – 66 packages
@tallyui – 30 packages
@beproduct – 18 packages
How the Attack Worked
Instead of stealing maintainer credentials directly, the attackers exploited a risky GitHub Actions trigger called pull_request_target. This allows third-party workflows to run automatically, which avoids maintainer approval fatigue but exposes the maintainer’s short-lived OIDC tokens to scraping.
Armed with these tokens, the attackers injected the malicious Mini Shai-Hulud malware into legitimate release pipelines. The malware then propagated to other projects, creating a worm-like spread across npm and PyPI.
Malware Capabilities
The malware’s primary goal is to steal developer credentials: GitHub and npm tokens, cloud credentials, API keys, Kubernetes service accounts, and SSH keys. It also installs a destructive ‘dead man’s switch’ monitor that attempts to delete the user’s entire home directory if a developer revokes a stolen GitHub token.
“They know that high-profile attacks will be detected quickly by the industry. By targeting specific US working hours, they likely want to maximize their return during a short window,” said Abhisek Datta, founder of SafeDep, one of the first vendors to detect the compromise.
Source: www.infoworld.com
Background: A Pattern of Supply Chain Attacks
TeamPCP has been targeting software supply chains repeatedly in recent months. In April, they compromised the command-line version of the Bitwarden password manager. A month earlier, they hit Aqua Security’s Trivy open-source vulnerability scanner, which later caused a data breach at the EU’s Europa.eu web hub.
The group’s tactics evolve but consistently exploit misconfigurations in CI/CD pipelines and GitHub Actions. The current attack leverages automated malware platforms to maximize spread within a short timeframe.
What This Means
Developers and organizations using any of the affected packages must immediately check for compromised versions and rotate all credentials that may have been exposed. The worm-like nature of the attack means even indirect dependencies could be tainted.
This incident highlights the critical need for stricter GitHub Actions security, especially around pull_request_target triggers. Maintainers should review their CI/CD configurations and consider using read-only tokens with minimal permissions.
The industry must accelerate adoption of automated security scanners and dependency verification tools to detect such attacks before they propagate. As supply chain attacks become more sophisticated, vigilance is no longer optional—it’s essential.
