A coordinated supply chain attack targeting TanStack, Mistral AI, and UiPath has compromised more than 170 software packages, according to a report published this week by Crypto Briefing. The breach didn't hit crypto companies directly, but it's rattled the industry anyway — because the same open-source dependencies are the backbone of many exchanges, wallets, and DeFi protocols.
What the attackers did
The three firms — TanStack (a React-based UI library), Mistral AI (an AI model provider), and UiPath (an enterprise automation platform) — all had packages tampered with in a single, coordinated campaign. Security researchers say the attackers injected malicious code into widely used libraries, potentially giving them backdoor access to any system that downloaded the compromised versions. The exact entry point isn't public yet, but the scale is notable: over 170 packages affected across the three ecosystems.
Why crypto should care
Crypto infrastructure is famously reliant on open-source code. A single compromised npm package can cascade into wallet drains, exchange breaches, or smart contract exploits. This isn't a theoretical risk — past attacks on event-stream and other libraries have led to real crypto theft. The TanStack/Mistral/UiPath incident shows that even well-audited projects aren't immune. If a developer working on a major exchange pulls a tainted package, the fallout could be swift.
No clear fix yet
As of May 17, none of the three companies have released a full post-mortem. Users are advised to check their dependency trees and roll back any packages published in the last 72 hours. The report from Crypto Briefing didn't name specific malicious package versions, but security firms are already scanning registries. For now, the industry is left waiting — and double-checking its lockfiles.
The next likely step is a coordinated disclosure from the affected maintainers. Whether that comes with a patch or a warning to rotate API keys remains an open question.
