The Shai-Hulud supply chain attack, attributed to threat actor TeamPCP, compromised CI/CD pipeline credentials to inject malicious code into npm and PyPI packages consumed by Mistral AI, OpenAI, UiPath, Guardrails AI, and OpenSearch. Any organization whose build pipelines consumed TanStack npm packages or downstream dependencies during the attack window may have executed malicious code in their own environments. TeamPCP is now actively extorting Mistral AI with a one-week deadline before threatened free public release of approximately 450 internal source code repositories, creating parallel urgency: dependency remediation and monitoring for public release of proprietary AI source code that may reveal further exploitable vulnerabilities.