Mistral AI SDK, TanStack Router hit in npm software supply chain attack
Summary
The TeamPCP threat group has launched a significant software supply chain attack, compromising 170 npm and PyPI packages, including the TanStack Router ecosystem and Mistral AI's SDK. The attack leveraged a weakness in GitHub Actions' `pull_request_target` trigger to inject the Mini Shai-Hulud malware, which steals developer credentials and includes a destructive 'dead man's switch'.
IFF Assessment
This article details a successful software supply chain attack that compromises popular development tools and injects malicious malware, posing a direct threat to developers and organizations using affected packages.
Defender Context
This incident highlights the critical importance of securing software supply chains by thoroughly vetting package dependencies and understanding the security implications of CI/CD pipeline configurations, particularly concerning automated workflow triggers.