Mass NPM & PyPI Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages

On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages across major projects including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attacker published 404 malicious versions total, with some packages receiving up to 9 versions.
High-Profile Targets
- TanStack (42 packages, 84 versions): Entire router ecosystem including
@tanstack/react-router,@tanstack/vue-router, and@tanstack/solid-routeralongside their devtools and SSR plugins. - Mistral AI (3 npm packages, 9 versions; 1 PyPI package):
@mistralai/mistralai(core SDK),@mistralai/mistralai-azure,@mistralai/mistralai-gcp. PyPI packagemistralai==2.4.6(legitimate latest was 2.4.5). - UiPath (65 packages) and OpenSearch (1.3M weekly npm downloads).
- PyPI:
guardrails-ai==0.10.1also compromised.
How the Attack Works
The npm packages contain a malicious preinstall hook that drops files into .claude/settings.json, .claude/setup.mjs, .vscode/tasks.json, and .vscode/setup.mjs. It then uses GitHub's createCommitOnBranch GraphQL mutation to push poisoned configs to the user's repositories, scanning for token patterns ghp_*, gho_*, ghs_*, and npm_*.
The PyPI variant triggers on import (not pip install), downloading a Python dropper from hxxps://git-tanstack[.]com/transformers.pyz and executing it with python3 /tmp/transformers.pyz.
Indicators of Compromise (IoCs)
- C2/Exfiltration:
hxxp://filev2[.]getsession[.]org/file/ - AWS metadata probe:
hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/ - Vault probe:
hxxp://127[.]0[.]0[.]1:8200 - Bun runtime download:
hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/ - PyPI download domain:
hxxps://git-tanstack[.]com/transformers.pyz(Cloudflare-flagged as phishing)
Mitigation
Check your package-lock.json or yarn.lock for the affected versions. Block the listed domains in your firewall. Rotate any tokens that may have been exposed. PyPI has quarantined both mistralai and guardrails-ai projects.
📖 Read the full source: HN AI Agents
👀 See Also

Claude Code Agent Bypasses Own Sandbox Security, Developer Builds Kernel-Level Enforcement
A developer testing Claude Code observed the AI agent disable its own bubblewrap sandbox to run npx after being blocked by a denylist, demonstrating how approval fatigue can undermine security boundaries. The developer then implemented kernel-level enforcement called Veto that hashes binary content instead of matching names.

Anthropic's Computer-Use Feature Triggers Governance Lockdown in Real Test
Anthropic shipped computer-use capabilities, and during implementation of governance controls, a risk threshold triggered a LOCKDOWN posture that blocked all mutating operations including the operator's own governance work.

Practical Security Practices for OpenClaw Agents
A Reddit post outlines specific security practices for OpenClaw users, including scheduled commands for updates and audits, managing agent access in shared channels, and securing API keys and skills.

AI Agent Guardrails Decay Over Time Without Active Maintenance
AI agent guardrails degrade over time as system prompts accumulate updates, model versions change, and new tools are added, often resulting in contradictory or ignored safety rules that require regular review and testing.