Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 04:49 UTC
4048 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Supply Chain Incidents

Mini Shai-Hulud Supply Chain Attack Hits TanStack, Mistral AI, Guardrails AI, and More

Thirumala Rao Padilam Thirumala Rao Padilam May 12, 2026
Mini Shai-Hulud Supply Chain Attack Hits TanStack, Mistral AI, Guardrails AI, and More

The TeamPCP threat actor has conducted a supply chain attack targeting npm and PyPI packages from multiple organizations including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. This attack, part of the Mini Shai-Hulud campaign, involved injecting obfuscated JavaScript designed to profile execution within the compromised packages.

What happened

TeamPCP, a known threat actor involved in recent supply chain attacks, has compromised multiple software packages distributed via npm and PyPI repositories. The affected packages come from organizations such as TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. The attackers inserted an obfuscated JavaScript file named "router_init.js" into the npm packages.

This malicious file is engineered to profile the execution environment, potentially gathering information about the systems where the compromised packages run. The campaign has been identified as a new iteration of the Mini Shai-Hulud attack series, indicating ongoing efforts to exploit supply chain ecosystems.

Why it matters

Supply chain attacks pose a significant risk because they target trusted software dependencies widely used by developers and organizations, increasing the chances of compromising numerous downstream applications. The inclusion of obfuscated profiling code suggests the attackers aim to gain deep insights into victim environments, which could lead to further exploitation or targeted attacks.

Compromises affecting well-known packages from several organizations indicate a coordinated campaign aiming to maximize impact across various sectors. This form of attack underlines the continuing vulnerabilities in software supply chains and the importance of securing dependency management practices.

What security teams should do

Security teams should review dependencies in their software projects for the presence of the compromised packages linked to TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. Monitoring logs and network traffic for unusual behavior associated with the execution of 'router_init.js' or similar profiling activities could help detect exploitation.

It is advisable to follow any guidance issued by the affected vendors regarding package updates or replacements. Additionally, teams should ensure their supply chain security measures, such as code signing verification and integrity checks, are enforced to prevent such compromises.

Key technical details

The Mini Shai-Hulud campaign involves the insertion of an obfuscated JavaScript file named 'router_init.js' into npm packages. This file is designed to profile the execution environment where the package runs. The specific profiling techniques or data collected were not detailed.

The attack also extends to PyPI packages from the same set of organizations, although the precise technical modifications to the Python packages were not described. The widespread use of npm and PyPI repositories highlights the multifaceted nature of this supply chain infiltration.

Affected organizations/products

The compromised packages have been identified in repositories associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. Both npm (JavaScript) and PyPI (Python) package ecosystems were targeted in this campaign, affecting multiple widely used software libraries.

Source attribution

https://thehackernews.com/2026/05/mini-shai-hulud-worm-compromises.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!