Massive npm Supply Chain Attack 'Mini Shai-Hulud' Compromises Mistral, UiPath, TanStack Packages — Emergency Shasum Check Advised

A sweeping supply chain attack dubbed "Mini Shai-Hulud" has compromised numerous npm packages from major vendors including Mistral, UiPath, and TanStack (notably its react-router library), cybersecurity firm Socket reported today. Developers are urged to immediately run shasum -a 256 on all router_init.js files in their dependency trees to detect tampering.

Attack Details

The attackers injected malicious code into the npm registry, targeting packages used by thousands of projects worldwide. Initial analysis suggests the campaign leveraged compromised maintainer accounts to push tainted versions.

"This is a fast-moving threat that demands urgent attention," said a Socket security researcher. "The router_init.js file appears to be a common infection vector across affected packages."

Victims include Mistral AI's SDK, UiPath automation libraries, and TanStack's web development tools such as react-router and related utilities. The full scope is still under investigation.

Background

Supply chain attacks on the npm registry have become increasingly common, as the open-source dependency ecosystem offers a single point of failure. Past incidents include the event-stream and ua-parser-js breaches.

The "Mini Shai-Hulud" name references the sandworms from Dune, hinting at the stealthy, worm-like propagation of the malware. The attack style mirrors previous campaigns where attackers patiently compromised packages over weeks.

Socket, which monitors open-source supply chain security, detected the malicious updates through behavioral analysis. The firm advises checking not only direct dependencies but also transitive ones.

Immediate Triage Steps

• Run shasum -a 256 router_init.js in every project folder. Compare the hash against known safe versions from official repositories.
• Audit your package-lock.json or yarn.lock for the affected package names. Temporarily pin versions to the last known clean release.
• Enable two-factor authentication on all npm accounts. Rotate CI/CD tokens if any may have accessed dubious packages.

What This Means

For developers, this incident underscores the fragility of relying on unverified open-source packages. Even reputable projects can be compromised if maintainer credentials are stolen.

"Organizations must treat their dependency tree as a critical infrastructure component," noted the Socket researcher. "Automated scanning, lock files, and integrity checks are now mandatory, not optional."

The attack may lead to data exfiltration, remote code execution, or supply chain poisoning further downstream. Companies using affected packages should initiate incident response protocols immediately.

Long-term, experts expect renewed calls for stronger registry security, including signed commits, package signing, and faster revocation mechanisms. The npm registry has introduced some measures, but the Mini Shai-Hulud attack shows gaps remain.

Socket has published a full list of compromised packages and their versions on its advisory page. Developers are encouraged to subscribe to security alerts for their dependency lists.