Mass npm Supply Chain Attack Targets 170+ Packages Including TanStack
Original: Mass npm Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages
Why This Matters
Largest coordinated package registry attack spanning npm and PyPI ecosystems
A coordinated supply chain attack on May 11, 2026 compromised over 170 npm packages and 2 PyPI packages, totaling 404 malicious versions. The attack targeted TanStack router ecosystem, Mistral AI SDK, UiPath automation tools, and OpenSearch.
The attack, tracked as 'mini-shai-hulud' by StepSecurity and Socket, represents one of the largest coordinated registry poisoning events in 2026 and the first to span both npm and PyPI. Key affected packages include @tanstack/react-router (3M+ weekly downloads), @mistralai/mistralai JavaScript SDK, @opensearch-project/opensearch (1.3M weekly downloads), and @uipath/robot enterprise automation runtime. The campaign also compromised mistralai==2.4.6 and guardrails-ai==0.10.1 on PyPI, with both projects now quarantined. The PyPI packages used different payload delivery mechanisms, with Python droppers downloading transformers.pyz from attacker-controlled infrastructure.