A coordinated supply chain attack involving the hacker group TeamPCP has targeted over 170 packages across notable platforms, including 42 packages from TanStack and 65 from UiPath, as well as Mistral AI’s packages, among others. This attack, dubbed the Mini Shai-Hulud campaign, exploited a combination of pull_request_target misconfigurations, GitHub Actions cache poisoning, and OIDC token extraction, enabling attackers to publish malicious versions of legitimate software. With a history of similar attacks earlier in 2026, TeamPCP has increasingly focused on harvesting developer credentials through sophisticated methods, including new decentralized exfiltration channels resistant to takedowns. Affected users are urged to audit their systems and take steps to secure their environments.

GitHub: GitHub is the premier platform for code hosting, collaboration, and CI/CD automation through GitHub Actions and features like OIDC federation for secure identities. It powers open-source development with workflows, forks, and provenance tools. The attack exploited GitHub’s pull_request_target workflows, cache poisoning, and OIDC tokens to hijack pipelines and publish malicious artifacts.
Squawk: Squawk encompasses NPM packages under the @squawk scope, such as @fleettools/squawk for agent coordination and durable messaging in developer tools. A related PyPI package enables SQL queries on structured files like logs and CSVs. Over a dozen Squawk packages were compromised, with multiple malicious versions published per package.
UiPath: UiPath offers an agentic automation platform combining robotic process automation with AI for business orchestration in enterprises, particularly regulated sectors. Recent updates include on-premises agentic AI via Automation Suite for public sector use. Attackers targeted UiPath by compromising 65 NPM packages and publishing malicious versions across the automation platform.
TeamPCP: TeamPCP is a threat actor known for sophisticated multi-stage supply chain attacks on open-source ecosystems, including NPM and PyPI. They previously compromised security tools like Trivy, Checkmarx KICS, and LiteLLM to enable credential theft and propagation. This Mini Shai-Hulud campaign, themed around Dune, was attributed to them for targeting high-profile projects like TanStack and Mistral AI.
TanStack: TanStack provides headless, type-safe, composable open-source tools for modern web development, including Query for data synchronization, Router for navigation, Table for data grids, and Start as a full-stack React framework. They recently introduced TanStack AI for provider-agnostic streaming, tool calling, and debugging in AI applications. In this supply chain attack, attackers exploited TanStack’s CI/CD pipeline to publish malicious versions of 42 NPM packages with injected credential-stealing malware.
Mistral AI: Mistral AI is a French startup developing open-weight large language models and an enterprise platform for customizing AI assistants, agents, and multimodal applications. Their models excel in chat, coding, agentic tasks, and reasoning, positioning them as Europe’s key AI contender. The campaign compromised Mistral AI’s PyPI packages across core SDK, Azure, and GCP integrations, publishing malicious versions.
OpenSearch: OpenSearch is a community-driven, open-source search and analytics engine forked from Elasticsearch, supporting vector search and AI applications. Its JavaScript client facilitates integration into web apps for search functionalities. The official OpenSearch JavaScript client was hit, with attackers publishing five malicious versions.
Guardrails AI: Guardrails AI is an open-source Python package for validating, correcting, and structuring LLM outputs using customizable guards for quality and safety. It includes validators for PII detection and other structured tasks. The Guardrails AI PyPI package was injected with a modular credential stealer targeting Linux systems and password managers.

Exploit Chain: Attackers combined pull_request_target misconfigurations, GitHub Actions cache poisoning, and OIDC token memory extraction to bypass protections.
Exfiltration Method: Malware introduced decentralized Session network channels for resilient, encrypted credential exfiltration resistant to takedowns.
Threat Actor History: TeamPCP conducted supply chain attacks on Trivy, LiteLLM, and Checkmarx KICS earlier in 2026, focusing on developer credential theft.