Loading...
Loading...
A coordinated supply-chain campaign in May 2026—dubbed Mini Shai‑Hulud—compromised hundreds of package releases across npm and PyPI, hitting high-profile orgs like TanStack, Mistral AI and UiPath. Attackers abused GitHub Actions patterns (pull_request_target), cache poisoning and OIDC token exposure to insert install-time malware that harvests cloud, CI and developer secrets, persists on hosts, and self‑propagates. Registries quarantined tainted packages and maintainers deprecated malicious releases, but the incident exposes systemic gaps: CI trust boundaries, provenance assumptions, registry vetting and secret hygiene. The wave of incidents and outages is accelerating calls for stronger workflow isolation, immutable artifact digests, install‑time protections and faster registry response.
Supply-chain compromises are undermining trust in developer tooling and repositories, creating direct risks to CI/CD pipelines and cloud credentials. Tech professionals must reassess dependency hygiene, pipeline safeguards, and incident readiness to limit blast radius.
Dossier last updated: 2026-05-12 19:07:59
&#32; submitted by &#32; <a href="https://www.reddit.com/user/CircumspectCapybara"> /u/CircumspectCapybara </a> <br/> <span><a href="https://tanstack.com/blog/npm-supply-chain-compromise-postmortem">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/programming/comments/1tblknw/postmortem_tanstack_npm_supplychain_compromise/">[comments]</a></span>
A coordinated supply-chain attack on May 11–12, 2026 injected malicious code into more than 170 npm packages and two PyPI packages, producing 404 poisoned releases and targeting entire org scopes including TanStack, Mistral AI, UiPath, TallyUI and OpenSearch. The campaign compromised all packages under @tanstack (42 packages), @uipath (65), Mistral’s JS/TS SDK and its Python client, plus Guardrails AI on PyPI; PyPI projects were quarantined. Payloads exfiltrate data, probe cloud metadata and Vault endpoints, and fetch additional code from attacker-controlled domains (notably git-tanstack[.]com). The attack is notable for scale and for spanning npm and PyPI in one campaign, highlighting registry security gaps and the need for install-time protections, stronger repo token hygiene, and faster registry quarantines.
Security teams are responding to a fast-moving supply-chain worm that poisoned 172 npm and PyPI packages starting May 11, delivering a persistence-capable loader that harvests extensive secrets (AWS keys, SSH keys, npm tokens, GitHub PATs, Vault tokens, Kubernetes service accounts, Docker creds, password managers including 1Password/Bitwarden, AI agent configs) and survives package removal via project-file and system daemon persistence. The Mini Shai-Hulud campaign produced 403 malicious versions; high-profile packages like @tanstack/react-router (12.7M weekly downloads) were affected. Attackers abused GitHub Actions/OIDC provenance, cache poisoning, and fork-based commits to obtain valid SLSA Level 3-signed artifacts (CVE-2026-45321, CVSS 9.6). The worm also spread into PyPI (mistralai package) and reads CI memory (/proc/pid/mem). This demonstrates gaps in CI trust scopes, provenance assumptions, and cross-ecosystem mitigations.
RubyGems Under Attack
Malicious versions of multiple TanStack npm packages were published in a supply-chain attack that executed payloads during installation, potentially exfiltrating developer and CI secrets. The incident affected the u/tanstack/* package namespace on npm; attackers reportedly pushed compromised releases that run code at install time, putting credentials and environment variables exposed to local developer machines and continuous-integration runners at risk. This matters because package installs are a common vector for supply-chain compromise, and leaked secrets can enable wider account and infrastructure takeover. Maintainers and dependent projects should audit install scripts, rotate any exposed secrets, and update or revert to verified clean package versions.
Etiido Uko / Tom's Hardware : Microsoft says it is investigating a Mistral AI PyPI package v2.4.6 compromise; the attack is likely part of the Mini Shai-Hulud supply chain attack — The malware reportedly refused to run on Russian-language systems but could execute a destructive payload under certain geographic conditions.
On May 11, 2026, an attacker published 84 malicious npm versions across 42 @tanstack/* packages by exploiting a pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across fork↔base trust boundaries, and extracting an OIDC token from the Actions runner. The malicious packages ran an obfuscated router_init.js during npm/yarn/pnpm install that harvested cloud, GitHub, npm, Vault, SSH and other credentials, exfiltrated via the Session/Oxen file-upload network, and self-propagated by republishing other maintainer packages. No npm publish credentials were found stolen and the npm publish workflow itself appears uncompromised. External researcher ashishkurmi/stepsecurity detected the packages within 20 minutes; all affected versions are deprecated and npm security is removing tarballs. Users who installed on May 11 should assume host compromise and rotate reachable secrets.
TanStack disclosed a May 11, 2026 supply-chain attack that published 84 malicious versions across 42 @tanstack/* npm packages in a ~6-minute window. The attacker combined a pull_request_target “Pwn Request” pattern, GitHub Actions cache poisoning across fork↔base trust boundaries, and runtime memory extraction of an OIDC token from the Actions runner to get code into published packages; npm publish itself and npm tokens appear uncompromised. An external researcher flagged the packages within 20 minutes; all malicious releases have been deprecated and npm is removing tarballs. The payload ran during npm install, harvesting AWS/GCP/Kubernetes/Vault/npm/GitHub/SSH credentials, exfiltrating via the Session/Oxen file network, and self-propagating by republishing packages. Users who installed packages on 2026-05-11 should treat hosts as compromised and rotate secrets.
A coordinated supply-chain attack on May 11, 2026 injected malicious versions into more than 170 npm packages and two PyPI packages, producing 404 hostile releases that hit major ecosystems including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attacker compromised entire package scopes (@tanstack, @uipath, @squawk, @tallyui, etc.), used GitHub API abuse to push poisoned commits, and embedded C2/exfiltration hooks and runtime downloaders. PyPI malware used a Python dropper that fetched transformers.pyz from an attacker-controlled domain (git-tanstack[.]com); PyPI quarantined the affected projects. This is notable for its scale, cross-registry reach, and focus on organization-wide scope compromise, raising urgent supply-chain and dev-tooling security concerns for developers, CI/CD pipelines, and downstream consumers.
The article explains the shift from DevOps to DevSecOps, arguing modern software delivery must balance speed with integrated security. It outlines DevOps principles—CI, CD, IaC, and monitoring—and lists common tools like GitHub Actions, Jenkins, Terraform, Datadog, and Grafana. DevSecOps is defined as embedding security throughout the pipeline (scan → test → secure → deploy → monitor) so vulnerabilities are caught early. The piece highlights contemporary threats — supply-chain attacks, secret leaks, vulnerable containers, dependency poisoning, and CI/CD compromises — and emphasizes automated security scanning (secret scanning, dependency and container scanning, static analysis, IaC checks) with tools such as Snyk and SonarSource. A GitHub repo for a 30-day DevSecOps journey is provided.
NPM 又被投毒,TanStack、Mistral AI、UiPath 等受波及,可窃取云密钥/SSH 密钥与 GitHub 令牌
Security researchers disclosed a large npm supply-chain campaign that pushed over 400 malicious versions across more than 170 packages without compromising maintainer accounts. Notable brands targeted include TanStack and Mistral AI, among many smaller libraries; the attack relied on publishing new malicious package versions rather than hijacking existing maintainer credentials. The incident matters because widespread npm dependencies can cause rapid downstream compromise for applications and CI pipelines, highlighting gaps in package vetting and the need for stronger registry protections, dependency auditing, and supply-chain defenses. Developers and organizations should audit dependencies, pin versions, and use tools like safedep and automated scanning to detect and remediate tainted packages.
Security firm Socket warned May 11 that a broad npm supply-chain poisoning injected credential-stealing malware into dozens of packages across multiple namespaces, including TanStack, Mistral AI and UiPath. Attackers added an obfuscated router_init.js and an optional dependency pointing to a one-off GitHub commit that introduced a malicious @tanstack/setup package with a prepare hook to run on install; the payload targets AWS, GCP, Kubernetes, Vault, ~/.npmrc, GitHub tokens and SSH keys and exfiltrates data via encrypted uploads while installing a persistence monitor. TanStack attributes the breach to chained GitHub Actions issues (pull_request_target abuse, fork cache poisoning, and OIDC token extraction); npm packages have been deprecated and removed. The incident expands an ongoing large-scale “Mini Shai-Hulud” npm poisoning campaign and underscores risks in CI/CD and trusted OIDC publish flows.
Socket : Several npm packages for the TanStack web development tools were compromised in the Mini Shai-Hulud supply chain attack; Mistral packages were also affected — - Immediate triage: Run shasum -a 256 on all router_init.js files in your dependency tree.
&#32; submitted by &#32; <a href="https://www.reddit.com/user/Sensiduct"> /u/Sensiduct </a> <br/> <span><a href="https://andrii.ro/blog/investigating-malware">[link]</a></span> &#32; <span><a href="https://www.reddit.com/r/programming/comments/1ta7ulb/be_careful_with_your_git_investigating_malware/">[comments]</a></span>
A widespread software supply-chain compromise began when a maintainer’s credentials were stolen via a phishing site and used to publish a malicious npm package. That package exfiltrated various developer credentials, enabling attackers to backdoor a transitive Rust compression library (vulpine-lz4). The tainted Rust crate, vendored into the popular Python build tool snekpack, caused a malware-laden snekpack release that reached roughly four million developers, installing SSH backdoors and remote shells. The chain exposed gaps in package registry security, maintainer account protection, dependency hygiene, and incident response; it was only accidentally neutralized by an unrelated cryptocurrency-mining worm. Key players include the left-justify npm package, vulpine-lz4 Rust crate, and snekpack Python build tool.
JDownloader's official website was breached and used for over a day to serve malicious Windows and Linux installers after attackers exploited an unpatched website vulnerability that allowed altering Access Control Lists. The development team confirmed the breach, took the site offline, and said the main JDownloader.jar, macOS installers, and repository packages (Winget, Flatpak, Snap) were unaffected because they use separate infrastructure and signed updates. Attackers replaced alternative Windows installer links with unsigned executables (showing a bogus publisher) and swapped the Linux shell installer with malware; some victims reported Windows Defender being disabled. The incident is a supply-chain-style compromise echoing a recent CPUID website breach. Users should avoid downloads from the site until it’s fully remediated.
JDownloader’s official website was compromised and for over a day served malicious Windows and Linux installers after attackers exploited an unpatched access-control bug to alter download links. The JDownloader team confirmed the breach, took the site offline for investigation, and said the main JDownloader.jar, macOS installers, and packages from Winget, Flatpak and Snap were not affected because they use separate infrastructure and signed updates. Attackers replaced alternative Windows installers with unsigned executables and swapped the Linux shell installer with malware; some victims reported Windows Defender being disabled. The incident is a supply-chain-style attack echoing a recent CPUID website breach that similarly delivered malware via tampered downloads.
Security researchers warn of a new Linux-targeting malware that specifically targets developers by infecting development tools and software packages; it can propagate by tampering with packages used by millions. The report — cited by a TecMundo article and shared on Reddit — details how the virus focuses on developer environments and package ecosystems, increasing risk of supply-chain contamination. This matters because compromised build tools or package repositories can silently distribute malware to downstream projects and large user bases, amplifying impact across open-source and commercial software. Devs, sysadmins and platform providers should audit dependencies, verify package integrity, and monitor CI/CD pipelines to mitigate supply-chain threats.
GitHub reported an incident affecting GitHub Actions, disrupting CI/CD workflows for developers. The status page notified users about the outage and offered subscription options for email and SMS updates while the team investigated. The incident matters because GitHub Actions is central to many software delivery pipelines; prolonged or recurring outages can delay deployments, break automated testing, and erode developer trust. GitHub’s incident communications emphasize transparency and customer notifications, but frequent service interruptions highlight operational risks for projects and organizations that rely heavily on hosted developer tooling.