VulnerabilityBleeping Computer
9.5 — CRITICAL
Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
A large-scale software supply-chain attack involving the "Shai-Hulud" malware has compromised hundreds of packages across open-source software ecosystems. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
A Shai-Hulud supply-chain campaign compromised hundreds of packages across npm, PyPI, and Composer, delivering credential-stealing malware targeting developers. The attack was attributed to the TeamPCP threat group.
⚙️Technical Details
Affected Systems
npmPyPIComposer
Attack Vectors
Compromised TanStack and Mistral AI packagesStolen CI/CD credentialsAbused orphaned commit pushed to a fork of the TanStack/router repository
💥Impact Assessment
Severity: critical
Who Is at Risk
Developers who downloaded affected package versions
🛡️Recommended Actions
1Check for affected package versions
2Rotate all credentials (GitHub tokens, npm tokens, AWS credentials, Vault tokens, Kubernetes service accounts, and CI/CD secrets)
3Block the threat actor's command-and-control infrastructure at DNS or proxy level
📦Affected Products
TanStackMistral AIGuardrails AIUiPathOpenSearchBitwarden CLISAP packages
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.