Massive Coordinated Supply Chain Attack Compromises 170+ npm and 2 PyPI Packages, Including Mistral AI SDKs
Key Takeaways
- ▸170+ npm packages and 2 PyPI packages compromised in a single coordinated attack—one of the largest registry poisoning events of 2026
- ▸Mistral AI's official SDKs on both npm (@mistralai/mistralai) and PyPI (mistralai) were directly targeted alongside projects from TanStack, UiPath, and Guardrails AI
- ▸Attack used platform-specific vectors: file injection into development configuration directories on npm, Python dropper with remote code execution on PyPI
Summary
A coordinated supply chain attack on May 11, 2026 represents one of the largest registry poisoning campaigns to date, compromising over 170 npm packages and 2 PyPI packages across 404 malicious versions. The attack specifically targeted major open-source projects and companies, including the entire TanStack router ecosystem (42 packages), Mistral AI's official SDK suite (both JavaScript and Python), UiPath's automation tooling (65 packages), OpenSearch (1.3M weekly npm downloads), and Guardrails AI's validation framework. This marks the first major attack to span both npm and PyPI simultaneously, utilizing different attack vectors on each platform.
The compromised Mistral AI packages include the official @mistralai/mistralai JavaScript/TypeScript SDK on npm and mistralai==2.4.6 on PyPI. On npm, attackers injected malicious code dropping configuration files into .claude/ and .vscode/ directories; the PyPI version employed a Python dropper that downloads and executes transformers.pyz from an attacker-controlled domain. The payload targeted credential theft and system reconnaissance, with probes for AWS metadata, HashiCorp Vault configurations, and GitHub tokens. Security firms SafeDep and Socket are tracking the campaign as "mini-shai-hulud."
Response efforts are underway, with PyPI quarantining the mistralai and guardrails-ai projects entirely. The attacker infrastructure has been identified and flagged—the malicious git-tanstack[.]com domain is now marked as a suspected phishing site by Cloudflare. Developers using affected packages are urged to immediately update to clean versions and audit for signs of compromise, including unexpected files and unauthorized credential access.
- PyPI quarantined affected projects; attacker infrastructure identified and flagged by Cloudflare; immediate updates and security audits recommended
Editorial Opinion
This attack marks a watershed moment for open-source supply chain security. The coordination, scale, and sophistication—spanning multiple registries with tailored attack vectors—demonstrates that threats have evolved far beyond targeting single high-value packages. The direct compromise of Mistral AI's official SDKs proves that even verified, well-resourced publishers are vulnerable to infrastructure takeover. The industry must accelerate adoption of cryptographic package verification, sandboxed installation environments, and mandatory supply chain transparency to protect the AI development ecosystem.
