Mass NPM & PyPI Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages
On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages across major projects including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attacker published 404 malicious versions total, with some packages receiving up to 9 versions.
High-Profile Targets
- TanStack (42 packages, 84 versions): Entire router ecosystem including
@tanstack/react-router,@tanstack/vue-router, and@tanstack/solid-routeralongside their devtools and SSR plugins. - Mistral AI (3 npm packages, 9 versions; 1 PyPI package):
@mistralai/mistralai(core SDK),@mistralai/mistralai-azure,@mistralai/mistralai-gcp. PyPI packagemistralai==2.4.6(legitimate latest was 2.4.5). - UiPath (65 packages) and OpenSearch (1.3M weekly npm downloads).
- PyPI:
guardrails-ai==0.10.1also compromised.
How the Attack Works
The npm packages contain a malicious preinstall hook that drops files into .claude/settings.json, .claude/setup.mjs, .vscode/tasks.json, and .vscode/setup.mjs. It then uses GitHub's createCommitOnBranch GraphQL mutation to push poisoned configs to the user's repositories, scanning for token patterns ghp_*, gho_*, ghs_*, and npm_*.
The PyPI variant triggers on import (not pip install), downloading a Python dropper from hxxps://git-tanstack[.]com/transformers.pyz and executing it with python3 /tmp/transformers.pyz.
Indicators of Compromise (IoCs)
- C2/Exfiltration:
hxxp://filev2[.]getsession[.]org/file/ - AWS metadata probe:
hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/ - Vault probe:
hxxp://127[.]0[.]0[.]1:8200 - Bun runtime download:
hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/ - PyPI download domain:
hxxps://git-tanstack[.]com/transformers.pyz(Cloudflare-flagged as phishing)
Mitigation
Check your package-lock.json or yarn.lock for the affected versions. Block the listed domains in your firewall. Rotate any tokens that may have been exposed. PyPI has quarantined both mistralai and guardrails-ai projects.
📖 Read the full source: HN AI Agents
👀 See Also
Windows Notepad App Remote Code Execution Vulnerability CVE-2026-20841
CVE-2026-20841 is a remote code execution vulnerability in the Windows Notepad app. Details and mitigation steps are available in the Microsoft Security Response Center update guide.
Monitoring OpenClaw Commands with Python and Gemini Flash for Security
A user created a Python script that trails commands injected by OpenClaw, analyzes them with Gemini Flash, and sends notifications via Discord webhook for alarming or irregular activity, costing about $0.14 daily.
Litellm PyPI Package Compromised: Malicious Version 1.82.8 Exfiltrated Credentials
The litellm PyPI package, which unifies calls to OpenAI, Anthropic, Cohere and other LLM providers, was compromised with malicious version 1.82.8 that exfiltrated SSH keys, cloud credentials, API keys, and other sensitive data for about an hour.
MCP Sandbox: Run MCP Servers in Isolated Containers Without Trusting Them
A developer built MCP Sandbox, which runs MCP servers in isolated gVisor containers with default-deny network access and safe secret injection, plus pre-execution CVE scanning and pattern checking.