TanStack, Mistral AI, UiPath Hit in Fresh Supply Chain Attack
Summary
Over 170 packages in popular NPM and PyPI repositories (code libraries that developers use) were compromised by the hacking group TeamPCP in a coordinated attack, including packages from TanStack, UiPath, and Mistral AI. The malware (malicious software) stolen sensitive information like API keys (credentials for accessing services), developer tokens, and cryptocurrency wallets, then tried to spread by using stolen GitHub tokens to publish infected versions of other packages. The attackers used a novel technique called a supply chain attack (compromising the tools and processes used to build and distribute software) by exploiting three security weaknesses in GitHub Actions (automated workflows for building and releasing code) to bypass security checks and make malicious packages appear legitimate.
Classification
Affected Vendors
Related Issues
Original source: https://www.securityweek.com/tanstack-mistral-ai-uipath-hit-in-fresh-supply-chain-attack/
First tracked: May 12, 2026 at 08:00 AM
Classified by LLM (prompt v3) · confidence: 95%