According to Beating’s monitoring, on May 12 at 3:20–3:26 UTC+8, attackers affiliated with TeamPCP hijacked the official release pipelines of TanStack, Amazon’s OpenSearch, and Mistral, pushing 84 malicious package versions across npm and PyPI. Affected packages include @tanstack/react-router (10M+ weekly downloads), @opensearch-project/opensearch (1.3M weekly downloads), and Mistral’s mistralai client. The malicious packages bypassed security trust mechanisms by exploiting GitHub Actions configuration flaws to obtain legitimate temporary publishing credentials, allowing them to acquire valid SLSA build provenance signatures.
Socket.dev’s reverse analysis reveals the worm persists even after package removal by injecting code into Claude Code execution hooks (.claude/settings.json) and VS Code task configurations (.vscode/tasks.json). On Python packages, the malware activates silently upon import without requiring function calls. Affected machines should be treated as compromised; users must immediately rotate AWS, GitHub, npm, and SSH credentials and reinstall from clean lockfiles.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
Thinking Machines Model Ties GPT-Realtime-2 for First Place in Audio Benchmark Today with 43.4% APR Score
According to Scale Labs' latest Audio MC S2S benchmark released today, Thinking Machines' TML-Interaction-Small model achieved 43.36 points, tying OpenAI's GPT-Realtime-2 (xHigh) for first place with a 43.4% APR score. The absolute score leader, GPT-Realtime-2 (xHigh), scored 48.45 points, while TML
GateNews13m ago
Arthur Hayes Predicts Bitcoin to Return to $126,000 Amid U.S.-China AI Arms Race and War Inflation
According to Odaily, Arthur Hayes published an article titled "The Butterfly Touch" on May 12 predicting that Bitcoin will return to $126,000 as a result of U.S.-China AI capital expenditure competition and war-driven inflation. Hayes stated that
GateNews23m ago
HrdWyr Raises $13M Series A for AI Chip Development
Bengaluru-based fabless chip startup HrdWyr raised US$13 million in a Series A funding round led by Bengaluru venture firm Ideaspring Capital on May 12. Singularity AMC, Avatar Growth Capital, and Persistent Systems also participated in the round. The company plans to use the funding to develop
CryptoFrontier33m ago
India AI Jobs Rising 15-20%, Minister Says at CII Summit
India's Union electronics and IT minister Ashwini Vaishnaw announced that AI-related jobs are rising 15% to 20%, based on feedback from the IT industry, during remarks at the CII Annual Business Summit. He urged companies to collaborate with Nasscom to train workers for new technology as the IT
CryptoFrontier43m ago
OpenAI Projected to Save $97 Billion in Microsoft Payments by 2030 Under New Agreement
According to The Information, OpenAI is projected to save approximately $97 billion in payments to Microsoft by 2030 under the revised partnership agreement negotiated in October last year. CFO Sarah Friar told investors the company expects to share 8-10% of revenue with all commercial partners,
GateNews57m ago
South Korean Presidential Office Clarifies AI Dividend Comments Were Official's Personal View
According to Glontech, a South Korean presidential office official stated today that remarks by Presidential Policy Director Kim Yong-beom regarding using artificial intelligence revenues to distribute a 'citizens dividend' represent only his personal opinion. The official noted that Kim's related s
GateNews1h ago
