Mistral AI SDK, TanStack Router hit in npm software supply chain attack
Summary
TeamPCP compromised 170 npm (Node Package Manager, a repository where JavaScript developers share code) and PyPI (Python Package Index, the equivalent for Python) packages in May 2024, including popular libraries like TanStack Router and Mistral AI's SDK. The attackers exploited weak GitHub Actions configurations (automated tools that run code during development) to inject malware called Mini Shai-Hulud that steals developer credentials like tokens (digital keys that prove identity) and API keys, and can destructively delete files if stolen credentials are revoked.
Solution / Mitigation
According to SafeDep, recommended actions are to check the lockfile (a file listing exact package versions used) for known compromised versions, pin dependencies to known good versions, and check for evidence of malware files. If an infected version is suspected, credentials in use at the time of import should be rotated (replaced with new ones).
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4170284/mistral-ai-sdk-tanstack-router-hit-in-npm-software-supply-chain-attack.html
First tracked: May 12, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 92%