{"data":{"id":"3f7531d6-7be0-451c-aa80-fd29bdaeeeda","title":"TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack","summary":"Over 170 packages in popular NPM and PyPI repositories (code libraries that developers use) were compromised by the hacking group TeamPCP in a coordinated attack, including packages from TanStack, UiPath, and Mistral AI. The malware (malicious software) stolen sensitive information like API keys (credentials for accessing services), developer tokens, and cryptocurrency wallets, then tried to spread by using stolen GitHub tokens to publish infected versions of other packages. The attackers used a novel technique called a supply chain attack (compromising the tools and processes used to build and distribute software) by exploiting three security weaknesses in GitHub Actions (automated workflows for building and releasing code) to bypass security checks and make malicious packages appear legitimate.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://www.securityweek.com/tanstack-mistral-ai-uipath-hit-in-fresh-supply-chain-attack/","publishedAt":"2026-05-12T10:10:33.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain","data_extraction"],"issueType":"news","affectedPackages":null,"affectedVendors":["Mistral"],"affectedVendorsRaw":["TanStack","Mistral AI","UiPath","OpenSearch","Squawk","Guardrails AI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-12T10:10:33.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}