Over 170 Software Packages Hit in Coordinated Supply Chain Attack Targeting TanStack, Mistral AI

A massive, coordinated supply chain attack compromised more than 170 software packages on the npm and PyPI open-source registries on May 11, 2026, injecting credential-stealing malware into widely used developer tools. The attack, attributed to the threat actor group TeamPCP, targeted the entire ecosystems of popular projects including TanStack, UiPath, and Mistral AI, publishing hundreds of malicious versions in a matter of hours. The campaign, dubbed “Mini Shai-Hulud,” represents one of the largest and most sophisticated registry poisoning events of the year, according to security researchers. Unlike previous attacks that focused on a single high-value target, this operation cast a wide net across web development frameworks, enterprise automation software, and artificial intelligence toolkits, indicating an attempt to compromise the broadest possible developer population. Security firm SafeDep reported that 404 malicious package versions were published in a coordinated burst. In our experience, many business owners view software security as a purely technical issue for their IT department. This is a dangerous misconception. The 'Mini Shai-Hulud' attack shows how a vulnerability in a common developer tool can become a direct threat to a company's financial stability and operational continuity. When attackers can steal credentials from core business systems or even password managers, the risk escalates from a data problem to a potential company-ending event. For small and mid-sized businesses, the cost of remediation, reputational damage, and potential regulatory fines can be devastating. This is why a proactive approach to financial risk management must include a thorough assessment of technology and supply chain dependencies. C&S Finance Group LLC helps clients build resilience by identifying and mitigating these hidden operational risks before they become financial catastrophes. Business owners can learn more about our approach at csfinancegroup.com. The attack was first flagged by automated malware detection systems on the night of May 11. Researchers quickly identified that the attackers had compromised publishing credentials for numerous high-profile projects. According to a report from CSO Online, the threat actors exploited a combination of maintainer misconfigurations and weaknesses in GitHub Actions, a popular automation platform used for software development and deployment. This allowed them to publish malicious updates that, in some cases, were indistinguishable from legitimate ones by abusing provenance attestation features, as noted by security firm Snyk. The malware payload is a modular credential stealer designed to execute on Linux systems. Its capabilities are extensive, harvesting a wide range of sensitive information. For the first time in a major supply chain attack, the malware specifically targets password managers, including 1Password and Bitwarden, in an attempt to gain widespread access to a developer’s sensitive accounts. The malware also possesses worm-like capabilities, enabling it to self-propagate through the software ecosystem, and a destructive component. On systems with Israeli or Iranian language locales, the payload attempts to delete all files in the user's home directory while playing an audio file at maximum volume. The scope of the compromise is extensive. The entire TanStack Router ecosystem, which includes 42 packages with millions of weekly downloads used in popular web applications, was affected. Other major targets included 65 packages from UiPath, a provider of enterprise automation software, and the full software development kit (SDK) suite for Mistral AI, a prominent artificial intelligence company, across both the npm and PyPI registries. The attack also hit the OpenSearch JavaScript client, the Guardrails AI package, and dozens of packages under namespaces like @squawk and @tallyui. In total, security firm Orca Security identified 373 malicious package-version entries across 169 npm package names and two PyPI packages. This incident marks a significant escalation in the tactics used by supply chain attackers. While a high-profile compromise of the `axios` package in March 2026 targeted a single, widely used library, the May 11 attack demonstrates a new level of coordination and scale. By compromising entire organizational scopes at once and simultaneously targeting both the JavaScript (npm) and Python (PyPI) communities, the attackers maximized their potential reach into development teams across nearly every industry. The investigation into the full impact of the attack and the precise methods used to obtain publishing credentials is still ongoing. The affected project maintainers, in coordination with security teams at npm and PyPI, have been working to remove the malicious packages and alert users. However, any developer or organization that downloaded or updated the compromised packages during the attack window is urged to take immediate mitigation steps, including rotating all credentials and scanning systems for indicators of compromise. Moving forward, the incident is expected to trigger more stringent security measures from open-source package registries and place greater pressure on organizations to implement robust software supply chain security practices. Businesses that rely on open-source software are now faced with the urgent need to verify the integrity of their dependencies and manage the inherent risks of a deeply interconnected digital ecosystem.