{"data":{"id":"5ff5475c-65ee-49fe-9d46-9cdf72e174c3","title":"Mistral AI SDK, TanStack Router hit in npm software supply chain attack","summary":"TeamPCP compromised 170 npm (Node Package Manager, a repository where JavaScript developers share code) and PyPI (Python Package Index, the equivalent for Python) packages in May 2024, including popular libraries like TanStack Router and Mistral AI's SDK. The attackers exploited weak GitHub Actions configurations (automated tools that run code during development) to inject malware called Mini Shai-Hulud that steals developer credentials like tokens (digital keys that prove identity) and API keys, and can destructively delete files if stolen credentials are revoked.","solution":"According to SafeDep, recommended actions are to check the lockfile (a file listing exact package versions used) for known compromised versions, pin dependencies to known good versions, and check for evidence of malware files. If an infected version is suspected, credentials in use at the time of import should be rotated (replaced with new ones).","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4170284/mistral-ai-sdk-tanstack-router-hit-in-npm-software-supply-chain-attack.html","publishedAt":"2026-05-12T17:14:47.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":["Mistral"],"affectedVendorsRaw":["Mistral AI","TanStack Router","Guardrails AI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-12T17:14:47.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"advanced","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}