On May 11, a group called TeamPCP launched a coordinated supply chain attack on the npm and PyPI ecosystems. The result: over 170 npm packages and 2 PyPI packages compromised, totaling 404 malicious versions — all published within a five-hour window.
Who’s Affected
The list of compromised packages reads like a who’s who of JavaScript infrastructure: the entire TanStack Router ecosystem (42 packages), Mistral AI’s official SDK suite (both on npm and PyPI), UiPath’s automation tooling (65 packages), OpenSearch, and Guardrails AI.
Particularly concerning: the @mistralai/mistralai package is the official TypeScript client for the Mistral AI platform. Anyone who pulled an update in the last few days could be affected.
How the Attack Works
The attacker replaced legitimate build scripts with a setup.mjs file executed via a preinstall hook. The script downloads the Bun runtime and launches the actual payload — a modular credential-stealing framework with dedicated providers for AWS IAM, HashiCorp Vault, GitHub tokens, npm publish tokens, and GitHub Actions OIDC tokens.
The malware has been dubbed ‘Mini Shai Hulud’ — after the sandworm from Dune. Charming.
What You Should Do
If you’re using any of the affected packages: immediately check which version is installed. The manipulated versions have been removed from npm and PyPI, but if your CI/CD system or local machine cached them, your credentials may already have been exfiltrated. You should proactively rotate GitHub tokens, AWS keys, and npm publish tokens.
My Take
Supply chain attacks on the npm ecosystem aren’t new — but the scale here is both impressive and alarming. 404 malicious versions in five hours speaks to highly automated tooling. The fact that it hit the SDKs of a major AI provider makes it even more concerning: developers building AI applications are clearly an attractive target.
Sources: SecurityWeek · CSO Online · Wiz Blog · Tom’s Hardware