A massive supply chain attack has compromised over 170 npm packages, including popular libraries used by TanStack and Mistral AI. The attack published more than 400 malicious versions across the npm registry, potentially affecting thousands of downstream applications.
This is exactly the nightmare scenario security researchers have been warning about for years. And it just got real.
What Happened
According to security firm SafeDep, the attack didn't rely on compromising maintainer accounts—the usual vector for these attacks. Instead, attackers used a more sophisticated approach: exploiting the npm publishing workflow itself.
The malicious packages were crafted to look legitimate, often mimicking popular libraries with slight typos (a technique called "typosquatting") or inserting themselves as dependencies in the supply chain. Some posed as updates to existing packages.
Once installed, the malicious code could exfiltrate environment variables (which often contain API keys and credentials), inject backdoors into build processes, or pivot to compromise developer machines.
TanStack and Mistral AI are the high-profile names affected, but they're likely just the tip of the iceberg. These libraries are used by countless developers who may not even realize their builds are pulling in compromised dependencies.
Why Supply Chain Attacks Are So Dangerous
I've shipped code on npm. I know how the ecosystem works. When you run npm install, you're not just installing the package you asked for—you're installing its dependencies, and their dependencies, often recursively dozens of levels deep.
Most developers never audit these sub-dependencies. They can't. A modern JavaScript project might pull in hundreds or thousands of packages. The trust model is you trust the maintainer, and you trust everyone they trust.
That's a house of cards.
The 2021 Log4Shell vulnerability showed us what happens when a critical dependency has a security flaw. But at least that was an accident. Supply chain attacks are . They're adversaries deliberately poisoning the well.
