Mini Shai-Hulud Worm Hits TanStack, Mistral AI and UiPath, Compromising 170+ npm and PyPI Packages With 518M Combined Downloads
TeamPCP's May 11 supply-chain attack abused a pull_request_target workflow, GitHub Actions cache poisoning, and OIDC token theft to ship 84 malicious TanStack versions and spread to Mistral AI, UiPath and others.
7 min read7 sources