VulnHub

Real-time Cybersecurity News

Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages

The Hacker News
Actively Exploited
Malware

Overview

A group identified as TeamPCP has been linked to a series of supply chain attacks that have affected several popular software packages, including those from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. These attacks involved modifying npm and PyPI packages to include a hidden JavaScript file named 'router_init.js', which is designed to gather information about how the software is executed. This kind of attack can significantly impact users, as it compromises the integrity of software dependencies that many developers rely on. The obfuscation of the malicious code makes it difficult for users to detect the threat. As this campaign unfolds, developers and users of the affected packages should remain vigilant and consider reviewing their dependencies to ensure they are not using compromised versions.

Key Takeaways

  • Active Exploitation: This vulnerability is being actively exploited by attackers. Immediate action is recommended.
  • Affected Systems: TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI (npm and PyPI packages)
  • Action Required: Users should review and update their dependencies to ensure they are using unmodified versions of the affected packages.
  • Timeline: Newly disclosed

Original Article Summary

TeamPCP, the threat actor behind the recent supply chain attack spree, has been linked to the compromise of the npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI as part of a fresh Mini Shai-Hulud campaign. The affected npm packages have been modified to include an obfuscated JavaScript file ("router_init.js") that's designed to profile the execution

Impact

TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI (npm and PyPI packages)

Exploitation Status

This vulnerability is confirmed to be actively exploited by attackers in real-world attacks. Organizations should prioritize patching or implementing workarounds immediately.

Timeline

Newly disclosed

Remediation

Users should review and update their dependencies to ensure they are using unmodified versions of the affected packages.

Additional Information

This threat intelligence is aggregated from trusted cybersecurity sources. For the most up-to-date information, technical details, and official vendor guidance, please refer to the original article linked below.

Related Topics: This incident relates to Malware.

Read Original Article

Related Coverage

Global Cyber Agencies Issue New SBOMs for AI Guidance to Tackle AI Supply Chain Risks

Infosecurity Magazine

The G7 Cybersecurity Working Group has released a new Software Bill of Materials (SBOM) specifically for artificial intelligence systems. This guidance aims to enhance transparency and security within AI supply chains by focusing on seven key data clusters. These clusters are designed to help organizations better understand and manage the risks associated with AI technologies. By implementing these guidelines, companies can improve their security posture and mitigate potential vulnerabilities that may arise from third-party components in AI systems. This initiative is crucial as the AI sector continues to grow, and ensuring the integrity of these systems is essential for user trust and safety.

May 13, 2026

Microsoft’s agentic security system found four critical Windows RCE flaws

Help Net Security

Microsoft's new agentic security system has identified 16 vulnerabilities in the Windows networking and authentication stack, including four critical remote code execution (RCE) flaws. Among these, CVE-2026-40361 and CVE-2026-40364 are particularly concerning due to their higher likelihood of being exploited by attackers. These vulnerabilities could allow unauthorized users to execute arbitrary code on affected systems, potentially leading to severe security breaches. Organizations using Microsoft Windows should prioritize addressing these vulnerabilities to protect their systems from potential exploitation, especially as the threat landscape evolves. The discovery of these flaws underscores the importance of continuous security assessments in software development and deployment.

May 13, 2026

Hundreds of Malicious Packages Force RubyGems to Suspend Registrations

SecurityWeek

RubyGems, the popular package manager for the Ruby programming language, has suspended new registrations after more than 500 malicious packages were uploaded during a recent attack. The incident primarily targeted RubyGems itself rather than end users. While the exact motives behind this attack remain unclear, it raises concerns about the security of software supply chains. Developers who rely on RubyGems for their projects may need to be cautious about the integrity of packages they download. This situation underscores the need for ongoing vigilance in monitoring package sources and ensuring that only trusted packages are used in development environments.

May 13, 2026

Researchers open-source a Wi-Fi cyber range for security training

Help Net Security

Researchers from the Norwegian University of Science and Technology and the University of the Aegean have developed a new open-source Wi-Fi cyber range designed specifically for security training. Unlike typical training programs that treat Wi-Fi as just another component alongside other wireless technologies, this new resource focuses solely on the IEEE 802.11 standard, which is crucial as Wi-Fi is often the primary entry point for cyber attackers targeting corporate networks. This initiative addresses a significant gap in hands-on training environments, providing a dedicated platform for professionals to enhance their skills in defending against Wi-Fi related security threats. By making this tool freely available, the researchers aim to improve the overall security posture of organizations that rely heavily on wireless networks.

May 13, 2026

US govt seeks Instructure testimony on massive Canvas cyberattack

BleepingComputer

The U.S. House Committee on Homeland Security has called for testimony from executives at Instructure regarding two significant cyberattacks on its Canvas platform, executed by the ShinyHunters extortion group. These attacks compromised sensitive student data and caused disruptions in schools, particularly during critical final exam periods. The incidents raised alarms about the security measures in place to protect educational institutions, as they directly affect students' academic performance and privacy. The committee's inquiry highlights the growing concern over cyber threats targeting educational technology, emphasizing the need for stronger safeguards against such breaches. As schools increasingly rely on digital platforms, the implications of these attacks could lead to calls for more stringent regulations and practices to protect student information.

May 12, 2026

‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack

CyberScoop

A new malware known as 'Mini Shai-Hulud' has compromised hundreds of open-source packages in a significant supply-chain attack. This malware has targeted major registries, disguising itself behind legitimate release signatures, which allows it to infiltrate software updates unnoticed. As a result, developers and organizations relying on these open-source packages may unknowingly integrate malicious code into their applications. This incident emphasizes the vulnerabilities present in the software update process and raises concerns about the security of open-source software. Researchers are urging developers to be vigilant and to verify the integrity of their dependencies before use.

May 12, 2026