Posts tagged with: Bun

May 2026 - NPM + PyPI Supply Chain Attack: How to Delay Dependency Updates

On May 11, 2026, a coordinated attack on the supply chain compromised over 170 npm packages and 2 PyPI packages, resulting in a total of 404 malicious versions. The attacker targeted the entire TanStack router ecosystem (42 packages), Mistral AI’s SDK suite (on both npm and PyPI), UiPath’s automation tooling (65 packages), OpenSearch (1.3 million weekly npm downloads) and Guardrails AI (PyPI). This is one of the biggest coordinated registry poisoning events we’ve seen in 2026, and it’s the first time both npm and PyPI have been affected in a single campaign.