Hackers have compromised dozens of popular open source packages in an ongoing supply-chain attack

Security firms report an ongoing supply-chain campaign called “Mini Shai-Hulud” where attackers took over developer accounts and published malicious updates—over 630 malicious versions across 317 open-source packages in ~20 minutes—to steal credentials (including from password managers) and spread malware; affected projects include Antv and the TanStack library, with downstream impacts reaching OpenAI employees.