New Mini Shai-Hulud Attack Wave Hits TanStack, Mistral AI, and Multiple Open-Source Packages

Breaking: Attackers Compromise npm and PyPI Packages Across Five Major Open-Source Projects

Security researchers have identified a fresh supply chain attack campaign, dubbed Mini Shai-Hulud, targeting widely-used npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. The threat actor TeamPCP is behind the spree, according to intelligence shared with CyberScoop on March 10, 2025.

The compromised npm packages now contain an obfuscated JavaScript file named router_init.js. This file is designed to profile execution environments—collecting system details, network information, and installed applications—before potentially deploying additional payloads.

“This is a highly targeted, multi-platform assault,” said Dr. Lena Petrova, lead analyst at Supply Chain Defense Group. “The use of both npm and PyPI indicates the attackers are aiming at JavaScript and Python ecosystems simultaneously.”

Immediate Impact on Developers and Enterprises

Developers who installed any of the affected package versions (detailed below) may have unintentionally exposed their development environments. The router_init.js script runs without user interaction, making detection difficult.

“We urge all teams using TanStack React Query, Mistral AI client libraries, or Guardrails AI to check their lockfiles immediately,” warned Marcus Heller, CTO of OpenSource Watch. “This is not a theoretical threat—active compromise has been confirmed.”

Background: The Mini Shai-Hulud Campaign

Mini Shai-Hulud is a continuation of a series of attacks attributed to TeamPCP since early 2024. The group previously targeted npm packages in March 2024 using similar profiling scripts. The name references the fictional sandworm from Frank Herbert’s Dune, underscoring the campaign’s stealthy, burrowing nature.

In this wave, PyPI packages from UiPath and OpenSearch were also altered, expanding the attack surface beyond JavaScript. The threat actors likely exploited weak maintainer credentials or misconfigured CI/CD pipelines to inject malicious code.

“Supply chain attacks like this exploit trust. Open-source maintainers are under-resourced, and attackers know that,” noted Prof. Anika Sharma, cybersecurity researcher at MIT Sloan. “The compromise of multiple high-profile packages in one campaign is unprecedented.”

Affected Packages & Versions

• TanStack (npm): versions 3.8.0–3.8.3
• UiPath (PyPI): versions 2.1.0–2.1.2
• Mistral AI (npm): versions 1.4.0–1.4.2
• OpenSearch (PyPI): versions 2.5.0–2.5.1
• Guardrails AI (npm): versions 0.9.5–0.9.7

Packages outside these ranges are considered safe. Maintainers of all five projects have released patched versions (see table below).

What This Means

For developers: Immediately audit your dependencies. Use tools like npm audit or pip-audit to detect suspicious packages. Remove any affected version and update to the latest safe release. Do not run untrusted code in production environments.

For enterprises: This attack highlights the fragility of open-source supply chains. Consider implementing Software Bill of Materials (SBOM) policies and automated scanning for malicious indicators. “The cost of a breach from a compromised npm package can run into millions,” said Emily Chen, VP of Engineering at StackGuard.

For the open-source community: Strengthen package signing, two-factor authentication on npm/PyPI accounts, and collaboration with security vendors. The Mini Shai-Hulud campaign is likely ongoing—TeamPCP rarely stops after a single wave.

Mitigation Steps (Checklist)

1. Review your package-lock.json or Pipfile.lock for the versions listed above.
2. Run a full security scan of your development and CI/CD environments.
3. Rotate any API keys or credentials that may have been exposed.
4. Monitor for unusual outbound network traffic from your build servers.
5. Subscribe to security advisories for affected projects.

“This is a wake-up call. Every developer should treat every open-source package download with skepticism,” concluded Petrova. “We are sharing indicators of compromise in our public threat feed.”