// supply chain attack

Source: Socket

The compromise of packages serving Mistral, UiPath, and TanStack (including react-router) shows how attackers can weaponize the dependency tree itself. When developers pull in trusted tools, they now pull in malicious code at scale. Socket attributes the attack to the "Mini Shai-Hulud" campaign, suggesting coordinated targeting of high-visibility infrastructure packages. The attack surface isn't just enterprise software but the open-source foundations powering millions of applications simultaneously. Supply chain attacks have moved from theoretical risk to operational crisis for any organization using these ubiquitous libraries.