AntV data visualization tool the latest to be hit by ongoing npm supply chain attacks

Mini Shai-Hulud npm campaign compromises @antv packages, targeting blockchain developers’ GitHub tokens, AWS keys, and CI/CD secrets in a coordinated supply chain attack. The malicious publishes started just before 2 a.m. UTC on May 19. By the time most developers on the East Coast had their first coffee, the damage was already done. Socket’s Threat […] The post npm Supply Chain Attack Hits @antv: Blockchain Dev Secrets Now Exposed appeared first on Live Bitcoin News.

The era of “all-you-can-eat” AI coding and agent subscriptions may well be ending. Beginning June 15, Anthropic will separate programmatic Claude usage from standard chat subscription limits, introducing a dedicated monthly credit system, billed at API-style rates, for tools including its Agent SDK, GitHub Actions, and third-party frameworks such as OpenClaw, the company wrote in a blog post. The monthly credit for programmatic usage will depend on a user’s existing Claude subscription tier and generally mirror its monthly price, with Pro users receiving $20 in credits, Max 5x users $100, and Max 20x users $200. In April, Anthropic had announced via a post on X that Claude subscriptions would “no longer cover usage on third-party tools like OpenClaw”, citing compute capacity restraints, and effectively forcing developers using external agent frameworks either to purchase additional usage bundles or switch to direct API access. Before that change, programmatic workloads and interactive

The post OpenAI says no user data exposed after TanStack npm supply chain attack hit employee devices appeared on BitcoinEthereumNews.com. OpenAI has admitted that two employee devices were compromised through malicious versions of TanStack npm packages. The company is insisting that no evidence that user data, production systems, or intellectual property were tampered with was found. Was OpenAI hacked? OpenAI has confirmed that malicious actors breached two of its employee devices as part of a massive software supply chain campaign called “Mini Shai-Hulud.” OpenAI previously deployed controls to limit supply chain attack exposure after an incident with Axios, but the two affected employee devices had not yet received the updated configurations that would have blocked the malicious package download. The attack targeted TanStack, an open-source library used by millions of developers. The attackers published 84 malicious versions across 42 npm packages, including the popular @tanstack/re

The post TanStack, Mistral AI, UiPath targeted in major supply chain attack compromising 170+ packages appeared on BitcoinEthereumNews.com. A coordinated software supply chain attack compromised over 170 packages across the npm and PyPI registries on May 11, hitting some of the most widely used developer tools in the ecosystem. TanStack, Mistral AI, UiPath, and Guardrails AI were among the primary victims. The attack, dubbed “Mini Shai-Hulud,” was carried out by a group calling itself TeamPCP. Between 373 and 404 malicious package versions were published in a roughly five-hour window, each designed to look indistinguishable from legitimate releases. How the attack worked The attackers exploited vulnerabilities in GitHub Actions workflows, specifically targeting a misconfigured pull_request_target workflow combined with cache poisoning techniques. They also abused OpenID Connect (OIDC) tokens, which are used to authenticate automated publishing pipelines between GitHub and package regis

The attack highlights the critical need for enhanced security measures in software supply chains to protect digital asset infrastructures. The post TanStack, Mistral AI, UiPath targeted in major supply chain attack compromising 170+ packages appeared first on Crypto Briefing.

TeamPCP open-sourced Shai-Hulud today. The OIDC token extraction technique that made the TanStack attack different from every previous campaign is now a public toolkit.

OpenAI details its response to the TanStack “Mini Shai-Hulud” supply chain attack, outlines protections taken to secure systems and signing certificates, and explains why macOS users must update OpenAI apps by June 12, 2026. Learn what happened, what was affected, and how OpenAI is strengthening defenses against evolving software supply chain threats.

The TeamPCP threat group has pulled off another big supply chain attack which within a few hours this week was able to successfully compromise 170 Node Package Manager (npm) and PyPI packages. The attack affected the entire TanStack Router ecosystem (@tanstack) of 42 packages, a routing library hugely popular among React web application developers. Multiple other packages were also affected, including @squawk (87 packages), @uipath (66 packages), @tallyui (30 packages), @beproduct (18 packages), as well as Mistral AI’s SDK suite on both npm and PyPI, and the Guardrails AI PyPI package. The attacks, noticed by several vendors using automated security tools, happened on May 11, spreading rapidly through package ecosystems thanks to the worm capabilities of the automated Mini Shai-Hulud malware platform, analysis found. The exact number of package versions caught up in the attack varies depending on the source; according to Aikido Security it was 373 across 169 package namespaces, while S