Algo v0.31
Substrate
technology

Hackers Compromise Dozens of Open Source Packages in Supply Chain Attack

Cybersecurity firms reported that hackers took control of developer accounts and published malicious versions of widely used open source packages. The packages are relied on by software developers worldwide. The attack aims to steal credentials from downstream users.

Techcrunch
1 source·May 19, 3:34 PM(10 days ago)·1m read|
Hackers Compromise Dozens of Open Source Packages in Supply Chain Attackmedianama.com
Audio version
Tap play to generate a narrated version.
Developing·Limited corroboration so far. This page will refresh as more sources emerge.

Cybersecurity firms StepSecurity and SafeDep warned on Tuesday of an ongoing supply chain attack that has compromised dozens of popular open source packages. Hackers took over one developer account and released more than 630 malicious versions across 317 packages in roughly 20 minutes, according to SafeDep.

The packages are used by software developers around the world. The goal of the attack is to steal credentials for services including password managers, according to the firms. Malicious updates were also published on GitHub in some cases, JFrog Security reported.

One compromised package is Antv, a library developed by Alibaba. The current wave is part of a campaign researchers have named Mini Shai-Hulud. Last week, hackers compromised the computers of two OpenAI employees after gaining access through the open source library TanStack.

OpenAI was one of several victims in that wave. The attacks target open source projects and the developers who incorporate the code into their own applications.

Key Facts

317 packages
affected by malicious versions in latest wave
630 malicious versions
released in about 20 minutes by hackers
Antv library
one of the compromised packages from Alibaba
cybersecurityopen-sourcesupply-chain-security

Story Timeline

3 events
  1. May 19, 2026

    StepSecurity and SafeDep warn of latest wave of supply chain attacks.

    1 source@techcrunch
  2. May 19, 2026

    Hackers release over 630 malicious versions across 317 packages in 20 minutes.

    1 source@techcrunch
  3. May 12, 2026

    Hackers compromise computers of two OpenAI employees via TanStack library.

    1 source@techcrunch

Potential Impact

  1. 01

    Developers using the affected packages may receive malicious updates that steal credentials.

  2. 02

    Organizations relying on open source code could face increased risk of data theft.

Transparency Panel

Sources cross-referenced1
Confidence score75%
Synthesized bySubstrate AI
Word count160 words
PublishedMay 19, 2026, 3:34 PM
Bias signals removed1 across 1 outlet
Signal Breakdown
Amplifying 1
Original Sources
TechcrunchHackers have compromised dozens of popular open source packages in an ongoing supply chain attack

Related Stories

World Urban Forum 2026 Draws 57,000 Participants from 176 CountriesEuronews
technology3 hrs agoDeveloping

World Urban Forum 2026 Draws 57,000 Participants from 176 Countries

The 13th World Urban Forum concluded with discussions on housing, climate resilience and urban governance. Organisers reported that the sessions informed future strategic priorities.

Euronews
1 source
Trump Mobile website still lists T1 phone as American-madetheverge.com
technology3 hrs agoDeveloping

Trump Mobile website still lists T1 phone as American-made

The product page for the T1 phone continues to describe the device as American-made. The Verge reported that the site may conflict with FTC advertising rules. The phone was announced in June 2025.

The Verge
1 source
EU Discusses Readiness for Artificial Intelligence ChangesFrance 24
ai3 hrs agoDeveloping

EU Discusses Readiness for Artificial Intelligence Changes

A France 24 program examined whether European Union policies can address the effects of artificial intelligence. The discussion covered potential impacts across daily life and economic sectors.

France 24
1 source