Hackers Poisoned 170+ Popular npm and PyPI Packages in a 5-Hour Blitz, TanStack, Mistral AI, UiPath Hit

Hackers pulled off a lightning-fast software supply-chain attack in May 2026, slipping booby-trapped updates into some of the internet’s most-used open-source package repositories, then letting automated installs do the dirty work.

In roughly five hours, researchers say attackers uploaded at least 401 malicious “artifacts” tied to more than 170 packages on npm (JavaScript) and PyPI (Python). The targets weren’t obscure one-off libraries. They included package families linked to TanStack, Mistral AI, and UiPath, names that show up in real corporate build pipelines and production apps.

A coordinated strike on the software supply chain

The playbook was simple and brutal: publish compromised versions to trusted registries and wait for developers’ CI/CD systems, continuous integration and deployment pipelines, to automatically pull “the latest” version.

That’s what makes this kind of attack so dangerous. The attacker doesn’t need to break into your servers. They just need to get into your dependencies, code your systems download and run because it’s assumed to be safe.

“Mini Shai-Hulud”: 401 malicious versions uploaded in hours

Security analysts tracking the campaign dubbed it “Mini Shai-Hulud,” a reference meant to signal worm-like behavior, malware that can spread by leveraging credentials and automation.

The speed mattered. By pushing hundreds of malicious releases in a short window and then disappearing, attackers can outrun human review while automated jobs keep rebuilding containers, refreshing lockfiles, and reinstalling dependencies multiple times a day.

The campaign spanned both JavaScript and Python ecosystems, widening the blast radius across front-end apps, back-end services, internal scripts, automation tooling, and data workflows. Even companies that used just one affected package could be exposed if it was pulled into a daily build.

TanStack: 42 packages hit, including Router used across React and more

TanStack is a major name in modern web development, best known for tools used in high-traffic applications and developer workflows. Analysts say 42 TanStack-related packages were impacted, including components tied to routing, devtools, and adapters.

TanStack Router, specifically, is used in apps built with React, Vue, and Solid. In practical terms: if your team rebuilds a React app on every merge and your CI job fetches a compromised version, malicious code can land inside the build environment, where secrets and signing keys often live.

These attacks typically go after what’s easiest to monetize and hardest to track: API keys, cloud credentials, registry tokens, and other secrets sitting on developer machines or CI runners. Once stolen, those credentials can open the door to deeper compromises, and potentially spread further.

Mistral AI: company confirms SDK compromise across Azure and Google Cloud channels

Mistral AI, a fast-rising European AI company often compared to U.S. model makers for its open-weight approach, confirmed it was affected. The company said malicious versions were published across three distribution channels: its main SDK, its Microsoft Azure integration, and its Google Cloud Platform integration, three malicious releases in each channel.

Mistral AI said a developer device was impacted, but it has not found evidence its core infrastructure was breached. That distinction matters: it points to dependency and developer-environment contamination rather than a direct break-in to company servers.

Technical write-ups also flagged a command-and-control server hardcoded into the malware (83.142.209[.]194) and a fallback mechanism dubbed “FIRESCALE” designed to keep the malware communicating even if defenders block the primary route, an indicator of a more resilient, professional operation.

The group attributed to the campaign, “TeamPCP,” also tried to turn the incident into a marketplace. It advertised a “contest” around package compromise with a $1,000 Monero reward and threatened to leak about 5 GB (about 5.4 GB, roughly 5.4 billion bytes) of internal Mistral AI-related code, while floating a “buy it now” extortion demand of $25,000. Even when those claims are hard to verify, the messaging can fuel copycats and accelerate the industrialization of the technique.

UiPath: 65 npm packages compromised, customers demand clear remediation steps

UiPath, a leading automation and RPA (robotic process automation) platform widely used inside enterprises, saw 65 npm packages compromised, according to reporting and community discussions. The risk here can extend beyond typical web development: automation stacks often connect to business systems, orchestrators, and internal apps that carry sensitive access.

On UiPath’s community forum, users quickly asked for a straightforward remedy, what to check, what to remove, what to regenerate. That urgency reflects reality in corporate environments: when your automation team depends on a package stack, you need a checklist, not a theory.

Security guidance circulating around the incident centers on three painful steps: confirm whether compromised versions reached any environment, clean affected systems, and rotate any secrets that may have been exposed. That can mean registry credentials, CI secrets, API keys, and cloud tokens, work that’s straightforward on paper and grueling in practice, especially for organizations without a clean inventory of where secrets live.

CI/CD weak points: GitHub Actions tokens, risky workflows, and cache poisoning

The incident also refocused attention on CI/CD as a high-value target. Analysts urged teams to audit GitHub Actions configurations, especially OIDC (OpenID Connect) token setups, and workflows likepull_request_target, which can be abused if misconfigured.

Dependency caches and shared actions can also become lateral pathways. Too many organizations still treat CI as “just tooling,” even though it often holds the keys to the kingdom: signing credentials, deployment permissions, and access to production environments.

A practical defense: delay “too-new” package versions by 24 hours

One of the clearest lessons from the five-hour blitz is that time is an attacker’s advantage. If a malicious release only needs to live for a few hours to get pulled into thousands of automated builds, defenders need friction that slows down “instant upgrades.”

That’s where a “cooling-off period” comes in, configuring package managers to refuse versions published too recently. pnpm 11 now enables a defaultminimumReleaseAgeof 1,440 minutes (24 hours). The Python tooluvoffers a similar approach.

The benefit is immediate: a compromised version that’s online briefly is far less likely to be installed automatically. It’s not a silver bullet, but it forces attackers to keep malicious releases live longer, making them easier to spot and block.

The broader takeaway isn’t “stop using open source.” That’s fantasy. The real lesson is to treat dependencies as part of your security perimeter, lock down update policies, add guardrails around version resolution, monitor install-time behavior, and be ready to rotate secrets fast when the supply chain gets hit.