/
Navigation
Chronicles
Browse all articles
Explore
Semantic exploration
Research
Entity momentum
Nexus
Correlations & relationships
Story Arc
Topic evolution
Drift Map
Semantic trajectory animation
Posts
Analysis & commentary
Pulse API
Tech news intelligence API
Browse
Entities
Companies, people, products, technologies
Domains
Browse by publication source
Handles
Browse by social media handle
Detection
Concept Search
Semantic similarity search
High Impact Stories
Top coverage by position
Sentiment Analysis
Positive/negative coverage
Anomaly Detection
Unusual coverage patterns
Analysis
Rivalry Report
Compare two entities head-to-head
Semantic Pivots
Narrative discontinuities
Crisis Response
Event recovery patterns
Connected
Search: /
Command: ⌘K
Embeddings: large
TEXXR
TEXXR

Chronicles

The story behind the story

days · browse · Enter similar · o open

Many npm packages for Mistral, UiPath, and TanStack's web developer tools like react-router were compromised, likely in the Mini Shai-Hulud supply chain attack

- Immediate triage: Run shasum -a 256 on all router_init.js files in your dependency tree.

Socket

Related Coverage

Discussion

  • @tan_stack @tan_stack on x
    SECURITY ADVISORY — TanStack npm packages A supply-chain compromise affecting 42 @tanstack/* packages (84 versions total) was published to npm earlier today at approximately 19:20 and 19:26 UTC. Two malicious versions per package. Status: ACTIVE — packages are deprecated, npm
  • @socketsecurity @socketsecurity on x
    🚨 BREAKING: 84 TanStack npm packages were compromised in an ongoing Mini Shai-Hulud supply chain attack, adding suspected CI credential-stealing malware. Socket flagged every malicious version within six minutes of publication. This is a developing story. [image]
  • @lowleveltweets @lowleveltweets on x
    nah im just not gonna run npm install anymore
  • @socketsecurity @socketsecurity on x
    We'll publish more details as our investigation continues. Here are all the affected packages and versions: https://socket.dev/...
  • @aikidosecurity @aikidosecurity on x
    Update 5:05 PT: The attack has now expanded well beyond @TanStack and @Mistral. 373 malicious package-version entries across 169 npm package names, including @uipath, @squawk, @tallyui, @beproduct, and more. The malware propagates by stealing your CI credentials and using them
  • @feross @feross on x
    🚨 Active supply chain attack on @tan_stack. 84 npm packages in the @ tanstack namespace have been compromised with a credential-stealing worm. @ tanstack/react-router alone has 12M+ weekly downloads. The affected packages span react-router, solid-router, vue-router, start, and [i…
  • @intcyberdigest @intcyberdigest on x
    🚨 How the TanStack npm attack actually happened: 1. Attacker opened a normal-looking pull request (#7378) on the TanStack repo. 2. GitHub automatically ran CI tests on that PR. 3. Code inside the PR stole the workflow's GitHub Actions Cache write token during the test run. 4.
  • @socketsecurity @socketsecurity on x
    🚨 UPDATE: Mini Shai-Hulud has crossed from @npmjs into @pypi and is still spreading. Newly confirmed compromised artifacts: @ opensearch-project/opensearch: 3.5.3, 3.6.2, 3.7.0, 3.8.0 (1.3M weekly downloads) mistralai: 2.4.6 on PyPI guardrails-ai: 0.10.1 on PyPI additional [image…
  • @msftsecintel @msftsecintel on x
    Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/ transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. […
  • @socketsecurity @socketsecurity on x
    @IntCyberDigest ... Mistral AI npm packages are now confirmed compromised as part of the ongoing Mini Shai-Hulud campaign. We're tracking the expanding supply chain attack, which has already hit TanStack, UiPath, and other package namespaces.
  • @mitsuhiko Armin Ronacher on x
    Published via OIDC trusted publishing btw. I hope this ends this absurd idea that OIDC is the silver bullet to supply chain issues.
  • @socketsecurity @socketsecurity on x
    Update: Socket has found 121 more compromised npm package artifacts across 84 package names, including 64 UiPath artifacts. Combined w/ TanStack, the current known total is 205 affected npm package artifacts across enterprise automation, AI/MCP, auth, workflow, and dev tooling.
  • @crutchcorn Corbin Crutchley on x
    TanStack Router has genuinely been attacked. We're investigating as quickly as we can and are taking as many steps as we can to resolve.
  • @ryancarson Ryan Carson on x
    Add a minimum package age to help protect you from attacks like this
  • @adnanthekhan Adnan Khan on x
    This attack leveraged GitHub Actions Cache Poisoning. Payload deployed here: https://github.com/... It looks like it detonated here: https://github.com/...
  • @jait_chen @jait_chen on x
    Supply-chain attacks through GitHub Actions are becoming increasingly difficult to prevent. Attackers can now use agents to discover new attack paths and automate exploitation at a scale we haven't seen before. Huge respect to the TanStack team for reacting so quickly and
  • @thecto Adam on x
    thing is, tanstack never claimed to be a SOTA infra provider, dunked on other people, or done shady things. that's why this is okay and i'm not migrating away
  • @dabit3 Nader Dabit on x
    This is crazy. The hacker installed a dead-man's switch that will wipe your computer if you revoke the GitHub token they stole from you. Revoking the token is what triggers the wipe. [image]
  • @tannerlinsley Tanner Linsley on x
    Many recent TanStack Router versions from earlier today were compromised via a Mini Shai-Hulud Supply-Chain Attack. We've already unpublished affected versions and are still taking every action possible to secure our publishing pipelines. Luckily there's a lot of maintainers
  • @tan_stack @tan_stack on x
    Our official post mortem on the security issue earlier today: https://tanstack.com/...
  • @artman Tuomas Artman on x
    Your bi-monthly reminder that your one npm install away from getting pwned without the proper precautions.
  • @aikidosecurity @aikidosecurity on x
    🚨 Update: @mistralai npm packages are now confirmed compromised as part of the ongoing Mini Shai Hulud attack. Affected versions: @mistralai/mistralai 2.2.2, 2.2.3, 2.2.4@mistralai/mistralai-azure 1.7.1, 1.7.2, 1.7.3@mistralai/mistralai-gcp 1.7.1, 1.7.2, 1.7.3If you use the
  • @samwho.dev Sam Rose on bluesky
    This is an S-tier, gold standard write-up of the recent TanStack supply chain attack.  —  Extremely impressive how fast it was detected and mitigated, even if part of it was good luck.  —  tanstack.com/blog/npm-sup...
  • @campuscodi.risky.biz Catalin Cimpanu on bluesky
    This thing has spread to UiPath packages.... that's a major business automation company and this thing just went nuclear just because all the sensitive places where UiPath is used [embedded post]
  • @mk.gg Matt Kane on bluesky
    Good postmortem on the @tanstack.com supply-chain attack.  The key part (which should be called out loudly): never run install on untrusted code inside a ‘pull_request_target’ workflow.  —  tanstack.com/blog/npm-sup...  [image]
  • @campuscodi@mastodon.social Catalin Cimpanu on mastodon
    This thing has spread to UiPath packages.... that's a major business automation company and this thing just went nuclear just because all the sensitive places where UiPath is used
  • r/reactjs r on reddit
    Tanstack npm Packages Compromised
  • @campuscodi@mastodon.social Catalin Cimpanu on mastodon
    TanStack has published a post-mortem of its supply chain attack  —  Blames hack on three vulnerabilities chained together, involving pull requests, GitHub actions, and OIDC tokens extracted from memory  —  https://tanstack.com/...