What Happened

On May 11, 2026, a threat group called TeamPCP executed a coordinated software supply chain attack that compromised more than 170 packages across two of the most widely used open-source repositories: npm and PyPI.

According to security firm Aikido Security, 373 package versions across 169 namespaces were hit. SafeDep put the number at 404 versions across 170 npm packages, plus two PyPI packages.

The victims include household names in the developer world: 42 TanStack Router packages (used by millions of React developers), 66 UiPath packages, 87 Squawk packages, 30 TallyUI packages, the Mistral AI SDK on both npm and PyPI, and the Guardrails AI PyPI package.

This wasn't a slow, quiet intrusion. It spread in hours.

The Mistral AI Package Is the Headline

Microsoft Threat Intelligence publicly flagged the compromise on May 12, 2026, via an X post. Their finding: version 2.4.6 of the `mistralai` PyPI package had malicious code injected directly into `mistralai/client/__init__.py` — the very first file that runs when a developer imports the library.

The attack fires the moment you use the package. No additional interaction required.

The injected code silently connects to a remote server at IP address 83.142.209.194, downloads a file called `transformers.pyz` to `/tmp/`, and launches it in the background on Linux machines.

The filename is NOT random. It's designed to mimic Hugging Face's Transformers library — one of the most used tools in all of machine learning. Attackers knew exactly what would blend in.

What the Malware Actually Does

The second-stage payload, dubbed Mini Shai-Hulud (yes, named after the giant sandworms from Frank Herbert's Dune), is primarily a credential stealer. According to Microsoft and analysis from cybersecurity firm Wiz, it targets:

• GitHub and npm tokens
• Cloud credentials (AWS, Azure, GCP)
• API keys
• Kubernetes service account tokens
• SSH keys
• Cryptocurrency wallet data
• Secrets tied to AI tools and messaging applications

It also installs a persistent service called `pgsql-monitor.service` with a file named `pgmonitor.py`. Those names are designed to look like routine database monitoring. They are NOT.

Then there's the dead man's switch. According to CSO Online, if a developer revokes a stolen GitHub token — the obvious first response when you realize you've been compromised — the malware attempts to delete the user's entire home directory. It punishes you for trying to protect yourself.

The Geo-Aware Wipe Capability

The malware contains country-aware logic.

According to reporting from Tom's Hardware and cryip.co, the payload is programmed to skip Russian-language systems — a common behavior in cybercriminal tools that suggests, though does NOT confirm, Eastern European or Russian-affiliated actors. Microsoft noted this explicitly but cautioned against using it as definitive attribution.

On machines appearing to be located in Israel or Iran, the malware includes a destructive branch capable of executing `rm -rf /` — a command that wipes an entire Linux system. Not theft. Destruction.

Most mainstream coverage mentions the credential theft but overlooks the targeted wipe capability.

How They Got In — This Is the Part Developers Need to Read

TeamPCP didn't crack passwords. They didn't brute-force accounts.

According to StepSecurity and a post-mortem published by TanStack itself, the attackers chained three known vulnerabilities that individually sound minor but together are catastrophic:

1. A `pull_request_target` misconfiguration — a GitHub Actions trigger that lets third-party code run with elevated permissions to avoid maintainer fatigue
2. GitHub Actions cache poisoning across the fork-to-base trust boundary
3. Runtime memory extraction of short-lived OIDC tokens from the Actions runner process

They staged a payload in a GitHub fork, renamed the fork to `zblgg/configuration` to obscure it, then opened a pull request to trigger the vulnerable workflow. When legitimate maintainers later merged their own PRs, the release pipeline was already poisoned.

No stolen passwords. No phishing. Just three misconfigurations chained together by people who knew exactly what they were doing.

What Mainstream Coverage Is Getting Wrong

Most outlets are treating this as a Mistral AI story. It's NOT just a Mistral AI story.

Mistral is getting the headlines because it's a recognizable AI brand and Microsoft flagged it publicly. But TanStack Router is arguably the more dangerous vector — it's embedded in tens of thousands of React applications. UiPath is used in enterprise automation workflows across Fortune 500 companies. The scale of potential downstream exposure dwarfs the Mistral package alone.

Also underreported: the worm capability. Mini Shai-Hulud doesn't just steal — it uses compromised npm and GitHub tokens to publish malicious versions of other packages the victim has write access to. One infected developer can become the attack vector for their entire organization's open-source footprint.

What You Need to Do Right Now

If your organization uses any of the affected packages — especially `mistralai` version 2.4.6, any `@tanstack` package, `@uipath`, or `guardrails-ai` — assume compromise until proven otherwise.

Audit every token, API key, and cloud credential accessible from affected developer machines. Rotate all of them. Check for `pgsql-monitor.service` running on Linux dev boxes. Look for `pgmonitor.py` anywhere it shouldn't be.

The open-source ecosystem runs on trust. TeamPCP just weaponized that trust at scale — and they'll do it again.