Mass NPM & PyPI Supply Chain Attack Hits TanStack, Mistral AI, and 170+ Packages
On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages across major projects including TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI. The attacker published 404 malicious versions total, with some packages receiving up to 9 versions.
High-Profile Targets
- TanStack (42 packages, 84 versions): Entire router ecosystem including
@tanstack/react-router,@tanstack/vue-router, and@tanstack/solid-routeralongside their devtools and SSR plugins. - Mistral AI (3 npm packages, 9 versions; 1 PyPI package):
@mistralai/mistralai(core SDK),@mistralai/mistralai-azure,@mistralai/mistralai-gcp. PyPI packagemistralai==2.4.6(legitimate latest was 2.4.5). - UiPath (65 packages) and OpenSearch (1.3M weekly npm downloads).
- PyPI:
guardrails-ai==0.10.1also compromised.
How the Attack Works
The npm packages contain a malicious preinstall hook that drops files into .claude/settings.json, .claude/setup.mjs, .vscode/tasks.json, and .vscode/setup.mjs. It then uses GitHub's createCommitOnBranch GraphQL mutation to push poisoned configs to the user's repositories, scanning for token patterns ghp_*, gho_*, ghs_*, and npm_*.
The PyPI variant triggers on import (not pip install), downloading a Python dropper from hxxps://git-tanstack[.]com/transformers.pyz and executing it with python3 /tmp/transformers.pyz.
Indicators of Compromise (IoCs)
- C2/Exfiltration:
hxxp://filev2[.]getsession[.]org/file/ - AWS metadata probe:
hxxp://169[.]254[.]169[.]254/latest/meta-data/iam/security-credentials/ - Vault probe:
hxxp://127[.]0[.]0[.]1:8200 - Bun runtime download:
hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/ - PyPI download domain:
hxxps://git-tanstack[.]com/transformers.pyz(Cloudflare-flagged as phishing)
Mitigation
Check your package-lock.json or yarn.lock for the affected versions. Block the listed domains in your firewall. Rotate any tokens that may have been exposed. PyPI has quarantined both mistralai and guardrails-ai projects.
📖 Read the full source: HN AI Agents
👀 See Also
MCP Server CVE Exposure Mapping and Public API Released
Researchers have mapped CVE exposure across thousands of MCP servers and built a public API for querying dependency vulnerabilities. The API allows searching by repo/name, filtering by severity, and sorting by CVE count or recency.
Architectural fix for AI agent over-centralization: separating memory, execution, and outbound actions
A developer realized their AI assistant was becoming an 'internal autocrat' by handling long-term memory, tool access, and autonomous decisions in one component. The solution involved separating the system into three roles: private controller, scoped workers, and outbound gate.
Stop Trusting AI More Than a Human — Apply the Same Access Controls
A Reddit discussion argues that AI coding agents should be treated like junior devs — no prod access, no direct writes, enforce CI/CD pipelines and role-based permissions.
Security Warning: ClawProxy Script Stole API Keys, Resulting in Significant OpenRouter Bill
A developer installed a closed-source ClawProxy script from a Reddit user on a sandboxed WSL Ubuntu 24.04 system, which stole their OpenRouter API key and used it via Google Vertex API to run up a large bill on Opus 4.6 overnight.