TeamPCP campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The TeamPCP / Mini Shai-Hulud supply-chain operation is actively compromising hundreds of packages, exposing downstream developers to malware delivery and credential theft. The activity spans packages tied to TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI, showing a broad multi-victim footprint. The stolen credentials are intended to extend the breaches and widen access across affected environments.
Related Happenings
Mistral AI hit by network compromise
Incident
First: 15.05.2026 01:50
Last: 15.05.2026 01:50
Sources 1
About this happening:
Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....
Mistral AI hit by network compromise
IncidentAbout this happening: Mistral AI disclosed a **codebase management system compromise** tied to the **Mini Shai-Hulud** supply-chain attack, and the intrusion briefly contaminated some **SDK packages**....
OpenAI hit by cyberattack
Incident
First: 14.05.2026 22:07
Last: 14.05.2026 22:07
Sources 1
How related:
OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner.
About this happening:
OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
OpenAI hit by cyberattack
IncidentHow related: OpenAI has disclosed that two of its employee devices in its corporate environment were impacted via the Mini Shai-Hulud supply chain attack on TanStack, but noted that no user data, production systems, or intellectual property were compromised or modified in an unauthorized manner.
About this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...
TanStack hit by network compromise
Incident
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
**TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
TanStack hit by network compromise
IncidentAbout this happening: **TanStack** was hit by a **package compromise** on **May 11, 2026**, when attackers published **84 malicious versions** across **42 @tanstack/* packages** and abused the release...
Latest development: 21.05.2026 11:00
On May 17, 2026, Grafana Labs said an unauthorized attacker had downloaded its codebase after accessing the firm's GitHub environment, and the company later said additional internal operational information and business contact names and email addresses were taken from its GitHub repositories; Grafana Labs said there was no indication that customer production systems or the Grafana Cloud platform were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
How related:
"We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access."
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityHow related: "We observed activity consistent with the malware's publicly described behavior, including unauthorized access and credential-focused exfiltration activity, in a limited subset of internal source code repositories to which the two impacted employees had access."
About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Timeline
-
15.05.2026 13:54 2 articles · 12d ago
TeamPCP Mini Shai-Hulud campaign expands across multiple package ecosystems
Campaign Scope UpdateTeamPCP's Mini Shai-Hulud supply chain campaign is linked to hundreds of compromised packages associated with TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI, with malware pushed to downstream developers to steal credentials and broaden access across affected environments. Reporting also ties the operation to trojanized npm and PyPI SDKs for Mistral AI, a threatened leak of internal source code from Mistral AI, and malware behavior that uses a hard-coded primary C2 server, a FIRESCALE fallback path, and destructive actions on systems geolocated to Israel or Iran.
Show sources
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates — thehackernews.com — 15.05.2026 13:54
- TanStack Supply Chain Attack Hits Two OpenAI Employee Devices, Forces macOS Updates — thehackernews.com — 15.05.2026 13:54