Mini Shai-Hulud Strikes Again: TanStack + more npm Packages Compromised

On 11 May 2026, a supply-chain campaign attributed to TeamPCP compromised multiple npm and PyPI packages (notably @tanstack/react-router, many @tanstack packages, multiple @uipath packages, mistralai, guardrails-ai) by exploiting GitHub Actions and poisoned caches to publish trojanized releases; the payloads are credential stealers and self-propagating worms that exfiltrate secrets via a typosquat domain, the Session messenger network, and GitHub dead drops, include a persistent gh-token-monitor wiper, and contain numerous IoCs (file hashes, C2 domain git-tanstack.com, Session seeds, and C2 IP 83.142.209.194).