Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

TeamPCP has compromised multiple popular open-source packages across npm and PyPI repositories in a new supply chain attack campaign dubbed Mini Shai-Hulud. The threat actor targeted packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI.

The compromised npm packages contain an obfuscated JavaScript file named "router_init.js" that profiles execution environments and collects system data. This reconnaissance capability allows TeamPCP to gather information about infected systems before deploying additional payloads or malware.

This campaign represents an escalation in TeamPCP's supply chain attack operations. The group has demonstrated a pattern of compromising legitimate package repositories to distribute malicious code to developers who unknowingly download infected versions. By targeting widely-used libraries across multiple ecosystems, TeamPCP maximizes exposure to downstream users and organizations.

The risk extends far beyond initial downloaders. Developers who integrate these packages into applications inadvertently distribute the malware to end users and enterprise environments. Organizations using affected versions face potential data exfiltration, system profiling, and follow-on attack stages.

The specific packages affected include both frontend development tools through npm and AI-related packages on PyPI, indicating TeamPCP's broad targeting strategy. The obfuscated JavaScript suggests the group employs anti-analysis techniques to evade detection by security researchers and automated scanning tools.

Security teams should immediately inventory their dependencies to identify exposure to TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI packages. Organizations should audit package versions deployed before the discovered compromise dates and rotate credentials for systems that may have installed affected versions.

The npm and PyPI communities have reportedly removed the malicious packages, but developers who cached or mirrored these versions must purge them from internal repositories. This incident underscores the ongoing risk posed