Vectra.ai Blog·
The axios supply chain compromise shows why risk begins after execution. Learn how to detect post-compromise behavior across CI/CD pipelines, identity systems, and network activity.
Read full articleThe attack highlights the critical need for enhanced security measures in software supply chains to protect digital asset infrastructures. The post TanStack, Mistral AI, UiPath targeted in major supply chain attack compromising 170+ packages appeared first on Crypto Briefing.
The TeamPCP threat group has pulled off another big supply chain attack which within a few hours this week was able to successfully compromise 170 Node Package Manager (npm) and PyPI packages. The attack affected the entire TanStack Router ecosystem (@tanstack) of 42 packages, a routing library hugely popular among React web application developers. Multiple other packages were also affected, including @squawk (87 packages), @uipath (66 packages), @tallyui (30 packages), @beproduct (18 packages), as well as Mistral AI’s SDK suite on both npm and PyPI, and the Guardrails AI PyPI package. The attacks, noticed by several vendors using automated security tools, happened on May 11, spreading rapidly through package ecosystems thanks to the worm capabilities of the automated Mini Shai-Hulud malware platform, analysis found. The exact number of package versions caught up in the attack varies depending on the source; according to Aikido Security it was 373 across 169 package namespaces, while S
A supply chain attack on SAP-related npm packages has put fresh scrutiny on the developer tools and build workflows that enterprises rely on to produce software. The campaign, referred to as “mini Shai-Hulud,” affected packages used in SAP’s JavaScript and cloud application development ecosystem. The malicious versions added installation-time code that could steal developer credentials, GitHub and npm tokens, GitHub Actions secrets, and cloud credentials from AWS, Azure, GCP, and Kubernetes environments. Researchers at SafeDep, Aikido Security, Wiz, and several other security firms said the affected packages included mbt@1.2.48, @cap-js/db-service@2.10.1, @cap-js/postgres@2.2.2, and @cap-js/sqlite@2.2.2. The suspicious versions were published on April 29 and were later replaced by safe releases. The malware encrypted stolen data and sent it to public GitHub repositories created from victims’ own accounts, according to the researchers. It also used stolen GitHub and npm tokens to add ma
The US Cybersecurity and Infrastructure Security Agency (CISA) does not yet have access to Anthropic’s bug-hunting AI model, Claude Mythos, even though other government agencies do, Axios reported earlier this week. As if that weren’t a big enough slap in the face for the national cyber-defense agency, the list of those who do have access to Mythos includes several unauthorized users, according to Bloomberg News. Members of a private Discord channel specializing in seeking information about unreleased AI models, have gained access to Mythos, according to one unnamed member of the group, Bloomberg reported. “The group has been using Mythos regularly since then, though not for cybersecurity purposes,” the person told Bloomberg, supplying screenshots to back up their claim. As a result of its fear that the powerful model could be used to identify and exploit flaws in software and online services, Anthropic has limited access to a preview of Mythos to an exclusive group of government agenc
OpenAI responds to the Axios supply chain attack by rotating macOS code signing certificates, updating apps, and confirming no user data was compromised.
A compromised npm package is only the entry point. The axios incident shows how quickly attackers pivot from code execution to credential abuse, identity misuse, and cloud access.
