AI VOID
DATE: 2026.05.24 00:00 CLEARANCE: PUBLIC

Mistral AI PyPI Supply Chain Attack v2.4.6: News & Updates

news updates incident

// table of contents

What Happened

Microsoft has identified and is actively investigating a critical supply chain attack involving the mistralai package on PyPI. Specifically, version 2.4.6 of the mistralai package was compromised, containing malicious code that executes upon import. This incident is part of a broader, coordinated “Mini Shai-Hulud” campaign that affected numerous npm and PyPI packages around May 11, 2026.

Developers and systems that installed mistralai v2.4.6, or other packages implicated in the “Mini Shai-Hulud” campaign, are at potential risk. Mistral AI has confirmed its impact, urging users to take immediate action.

Timeline of Events

The “Mini Shai-Hulud” campaign, which includes the mistralai package compromise, unfolded with a coordinated publishing of malicious packages.

flowchart TD A[Campaign Begins] --> B[Malicious Packages] B --> C[Mistral AI Compromised] C --> D[Microsoft Investigates] D --> E[Mistral AI Confirms] E --> F[Public Advisories]

Affected Packages and Versions

The core of this incident revolves around the mistralai PyPI package, specifically version 2.4.6. However, this is not an isolated event. The “Mini Shai-Hulud” campaign has a much wider reach.

Key Affected Entities:

  • PyPI: mistralai v2.4.6 and at least one other PyPI package.
  • npm: Over 170 npm packages.
  • Total Malicious Versions: 404 across both ecosystems.
  • Notable Projects Affected: Packages from TanStack, UiPath, OpenSearch, and Guardrails AI were also compromised.

Developers should verify their dependency trees for any affected versions, especially if they integrate with AI development tools or frontend frameworks.

Malware Details and Impact

The malicious code was injected into mistralai/client/__init__.py. This code is designed to execute immediately when the package is imported. Its primary function is to download further payloads from the external IP address `hxxps://83[.]142[.]209[.]194/`.

Potential Impact:

  • Credential Exposure: Systems that installed compromised packages potentially exposed GitHub, cloud provider, and CI/CD credentials. This is a critical risk, as these credentials can grant attackers broad access to sensitive infrastructure and source code.
  • Further Compromise: The ability to download additional payloads means the initial infection could be a staging ground for more sophisticated attacks, including data exfiltration, backdoor installation, or lateral movement within a compromised network.
  • Supply Chain Integrity: The attack highlights the persistent vulnerability of software supply chains, where compromise of a single popular package can propagate widely.

⚠️ Action Required: Immediate Steps for Affected Developers

Given the critical severity of this supply chain attack, developers and organizations that may have installed mistralai v2.4.6 or other packages from the “Mini Shai-Hulud” campaign must take immediate action:

  1. Uninstall Compromised Package:

    pip uninstall mistralai==2.4.6

    If you are unsure, uninstall all versions and reinstall a known safe version after review.

  2. Audit for Compromise:

    • Inspect network logs for outbound connections to `83[.]142[.]209[.]194` or other suspicious IPs. Look for unusual DNS queries or data exfiltration attempts.
    • Review system logs for unusual process execution, unexpected scheduled tasks, or file modifications (especially in temporary directories, user profiles, or system startup locations) around May 11, 2026.
    • Scan development and production environments for indicators of compromise (IOCs) related to the “Mini Shai-Hulud” campaign using reputable antivirus, EDR (Endpoint Detection and Response), or static/dynamic analysis tools.
    • Check for newly created or modified files in common malware drop locations, and review installed packages for any unknown or suspicious entries.

  3. Rotate Credentials:

    • Immediately rotate all GitHub, cloud (AWS, Azure, GCP), and CI/CD (e.g., GitHub Actions, GitLab CI, Jenkins) credentials that were accessible from environments where the compromised package might have been installed or executed.
    • This includes API keys, access tokens, and user passwords.

  4. Review Dependencies:

    • Perform a thorough audit of your requirements.txt, package.json, and other dependency manifests for any packages mentioned in the broader “Mini Shai-Hulud” campaign advisories.

Threat Actor Information

The threat actor identified behind the “Mini Shai-Hulud” campaign is TeamPCP. This group has been linked to this coordinated supply chain attack spree. While specific motivations are not fully detailed in available reports, the nature of the attack (credential harvesting, payload delivery) points towards espionage, data exfiltration, or financial gain.

Ecosystem-wide Implications

This incident underscores the ongoing and evolving threat of supply chain attacks in the open-source ecosystem. The compromise of widely used packages like mistralai, TanStack, and OpenSearch demonstrates that even well-maintained projects can become vectors for attack.

  • Trust in Open Source: Such attacks erode trust in package registries and the open-source software supply chain, forcing developers to implement more rigorous security checks.
  • Automated Scanning: The sheer number of affected packages (404 malicious versions) highlights the need for continuous, automated scanning of dependencies throughout the development lifecycle.
  • Developer Responsibility: Developers must move beyond simply trusting package managers and adopt practices like dependency locking, integrity checks, and runtime monitoring to mitigate risks.
  • AI/ML Ecosystem Target: The targeting of AI-related packages like Mistral AI and Guardrails AI indicates a growing focus by threat actors on the AI/ML development ecosystem, likely due to the sensitive data and valuable intellectual property often handled by AI applications.

What To Watch Next

  • Further Disclosures: Expect more detailed technical analyses and potential indicators of compromise (IOCs) from Microsoft, Mistral AI, and other security researchers as investigations progress.
  • Enhanced Security Measures: Observe how PyPI, npm, and other package managers respond with new security features or policy changes to prevent similar attacks.

References