Mass Supply Chain Attack Hits TanStack, Mistral AI npm and PyPI Packages
Over 400 compromised npm package versions and at least 2 PyPI packages published in a coordinated supply chain attack targeting TanStack, Mistral AI, UiPath, OpenSearch, guardrails-ai, and dozens of…
Read the full articleYou might also wanna read

TanStack Npm Packages Compromised Inside The Mini Shai Hulud Supply Chain Attack
On May 11, 2026, the Mini Shai-Hulud worm compromised 84 npm package artifacts across 42 @tanstack/* packages (as well as @squawk/*, @mistra
TanStack npm Worm Hit OpenAI and Mistral
The Mini Shai-Hulud worm compromised 169 npm packages including TanStack and Mistral AI SDK, hitting OpenAI employee devices. What AI engine
317 npm Packages Compromised in Mini Shai-Hulud Supply Chain Attack
A compromised npm maintainer account published 637 malicious versions across 317 packages including size-sensor, echarts-for-react, timeago.
PyPI Supply Chain Attacks Expand: New Malicious Packages Target Bioinformatics and MCP Developers
Newer packages in this compromise use native extensions and .pth loaders to execute JavaScript stealers in developer environments.
TeamPCP supply chain attack hits TanStack
TeamPCP extends their slew of supply chain attacks with Mini Shai-Hulud, publishing malicious npm packages through TanStack.
TeamPCP Supply Chain Attack: The npm Worm That Hit GitHub, OpenAI, and Mistral AI
Between May 11 and May 19, 2026, a threat actor called TeamPCP poisoned 170+ npm/PyPI packages, hijacked a VS Code extension with 2.2M insta

Comments
Sign in to join the conversation.
No comments yet. Be the first.