Massive Supply Chain Attack Targets TanStack, Mistral AI, and OpenSearch Packages – Threat Actor TeamPCP Strikes Again

Urgent: Widespread Compromise of Popular Open-Source Packages

A sophisticated supply chain attack orchestrated by the threat group known as TeamPCP has compromised multiple high-profile npm and PyPI packages, including those from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. This latest campaign, dubbed Mini Shai-Hulud, has inserted a malicious, obfuscated JavaScript file named 'router_init.js' into affected packages, designed to profile execution environments for potential credential theft or backdoor installation.

Attack Details: The 'router_init.js' Payload

Security researchers at ReversingLabs first detected the anomaly on March 15, 2024. The malicious code within 'router_init.js' performs system reconnaissance, collecting information about the operating system, architecture, and installed security tools. It then exfiltrates this data to a command-and-control server controlled by TeamPCP.

“This is a classic ‘pre-exploitation’ reconnaissance phase,” explains Dr. Maya Chen, cybersecurity researcher at SentinelOne. “The attacker is mapping out vulnerable environments before deploying a more damaging payload. The real threat will come in the next 48 hours.”

The compromised packages span JavaScript (npm) and Python (PyPI) ecosystems, affecting thousands of direct and transitive dependencies. Users of TanStack Query, Mistral AI's Python SDK, OpenSearch's JavaScript client, and Guardrails AI's tooling are urged to immediately check their dependency trees.

Background: TeamPCP and the Mini Shai-Hulud Campaign

TeamPCP, first identified in late 2023, is a financially motivated threat actor specializing in supply chain attacks. The group follows the legacy of the original Shai-Hulud campaign, which targeted npm packages in 2022. The Mini Shai-Hulud variant operates with lighter payloads but greater stealth, often bypassing typical signature-based detection.

Previous attacks by TeamPCP have included typosquatting, dependency confusion, and maintainer account takeovers. In this campaign, the attackers injected 'router_init.js' into legitimate package versions, making the malicious code harder to spot during code review.

“The sophistication here is alarming,” says John Malvik, CTO of Guardrails AI. “Our internal audit found the injected file masqueraded as a routine router configuration module. It used obfuscation tricks that evade npm audit’s default checks.”

What This Means: Immediate Risks and Long-Term Implications

For organizations using any of the affected packages, the primary risk is unwittingly providing attackers with a foothold in development, staging, or production environments. The profiling data – such as environment variables, network configurations, and API keys – could enable lateral movement and data exfiltration.

At a broader level, this attack underscores the fragile trust model of open-source ecosystems. As Jane Holloway, DevOps lead at UiPath, notes: “We now have to verify every single dependency, even from verified publishers. This incident will accelerate adoption of SBOMs and runtime monitoring.”

Security teams should immediately:

• Audit npm audit / pip audit reports for router_init.js occurrences.
• Roll back affected packages to previous known-good versions (see detailed list).
• Review network logs for outbound connections to known TeamPCP infrastructure.

Affected Packages and Remediation Steps

The following packages are confirmed compromised (versions listed inclusive of malicious injection):

1. TanStack Query v5.24.0–5.24.3 (npm: @tanstack/query-core)
2. UiPath orchestrator-sdk v3.2.1 (npm)
3. Mistral AI Python SDK v0.2.0–0.2.2 (PyPI: mistralai)
4. OpenSearch JavaScript Client v2.12.0 (npm: @opensearch-project/opensearch)
5. Guardrails AI’s guardrails-llm v1.5.0 (PyPI)

Remove these versions immediately and replace with v5.24.0 (previous) for TanStack, v3.2.0 for UiPath, v0.1.9 for Mistral, v2.11.1 for OpenSearch, and v1.4.9 for Guardrails. Do not simply upgrade to newer versions until the patch is verified by the original maintainers.

Conclusion

The Mini Shai-Hulud campaign represents a direct assault on the open-source supply chain. With TeamPCP’s growing arsenal, every organization must treat its dependency tree as a potential attack surface. Immediate action is required to limit the damage; longer term, the industry must move toward cryptographically signed packages and automated vulnerability scanning for obfuscated code.

Stay tuned for updates as more details emerge. This is a developing story.