Hundreds of open-source packages, including TanStack and Mistral, compromised in fresh wave of supply chain attacks
Hundreds of malicious packages are being flagged in NPM and PYPI repositories, including those from TanStack and Mistral, which are hugely popular. A broad hacking campaign is targeting millions of developers: malware steals credentials and wipes all data when it’s done.
A massive compromise is once again shaking the foundations of open-source software. Hackers have injected malware into hundreds of packages on NPM (Node Package Manager), the world’s largest open source code repository for the JavaScript programming language.
Between 19:20 and 19:26 UTC on Monday, the attacker published 84 malicious versions across 42 TanStack packages, an open-source application stack.
TanStack’s packages are massively popular among developers building web apps: query-core has nearly 220 million monthly downloads on NPM, followed by “react-query” with 212 million downloads and virtual-core with nearly 60 million downloads.
Developers who pulled any of the malicious packages would have their credentials stolen, and the malware would then self-propagate to other packages maintained by the victim.
Moreover, once the victims realize they’ve been compromised and attempt to rotate stolen tokens, the malware runs a command to wipe the entire root directory (top-level folder).
“Please be careful when revoking tokens. It looks like the payload installs a dead-man's switch,” one of the developers warned on GitHub.
It polls api.github.com/user with the stolen token every 60s, and if the token is revoked (HTTP 40x), it runs rm -rf ~/.”
And these NPM packages are just the tip of the iceberg. At the time of writing, Socket Security, a cybersecurity firm, has already flagged 416 total packages in the ongoing supply chain attack.
The malware was found in PYPI and NPM packages released by Mistral AI, a French AI company. The attack has also since spread to OpenSearch, Guardrails AI, Squawk, and many other packages.
Other security teams also list hundreds of packages, and the full blast radius of the ongoing attack remains unclear.
“Nah, I’m just not gonna run npm install anymore,” posted Ed Woodruff, a cybersecurity engineer and a popular YouTube creator known as Low Level.
The compromise was identified in minutes
External researchers were the first to detect malware in TanStack packages.
Ashish Kurmi, Co-founder and CTO at StepSecurity, detected and reported the compromise to TanStack “within 20 minutes,” and Socket called just moments after, according to the postmortem.
This helped to limit the impact of the incident – the maintainers quickly deprecated all affected packages.
Who’s behind the attacks?
StepSecurity, which first reported the compromise to TanStack’s team, attributes the supply chain attack to TeamPCP, a financially motivated threat group that rose to prominence in late 2025. It was behind other worm-driven, self-replicating malware attacks targeting major open-source ecosystems, exposing Docker APIs, Kubernetes clusters, and CI/CD pipelines.
These hackers compromised major open-source security vendors (Trivy, Aqua Security, and Checkmarx), major libraries used by millions of developers, such as LiteLLM.
The attackers consistently use the Dune-universe theme, and their worm is dubbed “Mini Shai-Hulud.” This malware first appeared two weeks ago and targeted SAP packages. This is the fourth Shai-Hulud theme campaign since last year.
The attackers got in by first forking one of the TanStack repositories on GitHub, then submitting a malicious commit using a fabricated identity. This automatically triggered TanStack’s GitHub Actions workflow – an automated process that compiles and tests code before publishing.
TeamPCP exploited this misconfigured privileged workflow to poison the cache with malicious dependencies and trick the system into running their code. When the workflow ran malicious code, the attackers gained access to temporary publishing tokens, which were abused to publish fake npm packages with credential-stealing malware.
What is the malware capable of?
“Mini Shai-Hulud is a true worm: after stealing credentials from one CI/CD pipeline, it enumerates every package that the maintainer controls and publishes infected versions of each,” StepSecurity warned.
The obfuscated payload is just 2.3 megabytes. It reads GitHub Actions (an automation tool for testing code) runner process memory to extract every secret.
The malware also checks 100 hardcoded paths and steals credentials from them, including cloud providers, SSH and Git, cryptocurrency wallets, AI tools, VPN configs, shell history, and messaging apps.
Malware maintains persistence by embedding itself into popular developer tools, such as Claude Code and VS Code, as well as core system processes that run automatically after a reboot.
“When a developer or CI environment runs npm install, pnpm install, or yarn install against any affected version, npm resolves the malicious optionalDependencies entry, fetches the orphan payload commit from the fork network, runs its prepare lifecycle script, and executes a ~2.3MB obfuscated router_init.js smuggled into the affected tarball,” TanStack’s postmortem reads.
Malware also contains a ransom string warning the victim that if they revoke the newly created NPM token, it will trigger a computer wipe routine. The researchers warn against revoking npm tokens before isolating the affected machine.
How to protect yourself?
Follow security advisories for guidance on searching for affected namespaces and packages. Reports have already been released by multiple cybersecurity teams, including Step Security, Socket Security, Aikido, Snyk, and others.
“If any of the affected packages ran in your environment, treat the machine or runner as exposed until secrets are rotated and recent publish activity has been reviewed,” Aikido warns.
Recommended actions include rotating all secrets immediately, including npm publish tokens and OIDC federation grants, GitHub PATs and fine-grained personal access tokens, AWS and other cloud credentials, HashiCorp Vault tokens, Kubernetes service account tokens, SSH private keys, and many more.
“Uninstall is not enough,” Snyk writes.
“The worm writes copies of itself into developer tooling directories to survive across npm uninstall and reboots.”
Defenders also recommend reviewing recent package releases and GitHub action activity.
Unlock more exclusive Cybernews content on YouTube.
