The official Mistral AI SDK has been infected with silent malware. Microsoft Threat Intelligence raised the alert on May 12, 2026: hackers injected malicious code directly into a PyPI package downloaded by thousands of AI developers. And that's just the visible part of the iceberg!
In brief
- A coordinated supply chain attack on May 11, 2026 compromised more than 170 npm packages and 2 PyPI packages.
- Microsoft Threat Intelligence is investigating the compromise of the Mistral AI PyPI v2.4.6 package.
- The malware targets developer credentials.
- Uninstalling the package does not remove the malware, which persists through Claude Code hooks and VS Code tasks.
An AI attack on an unprecedented scale
On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages. The total amounts to 404 malicious versions. This massive operation simultaneously targets some of the most used projects in the open source AI ecosystem.
The hacker group responsible, TeamPCP, managed to hack legitimate release pipelines of AI projects by exploiting poor maintainer configurations and GitHub Actions vulnerabilities. Result: infected packages with valid signatures, indistinguishable from legitimate versions. But that's not the most worrying thing.
According to Microsoft, the compromised version of mistralai 2.4.6 package contained malicious code inserted into the mistralai/client/__init__.py file. It would silently download a file from a remote IP address to /tmp/transformers.pyz and run it in the background as soon as the package was imported onto a Linux system.
The name of the malicious file, transformers.pyz, appears to be deliberately chosen to mimic Hugging Face's Transformers framework. The latter is widely used in AI environments. PyPI has since put the Mistral AI project in quarantine.
What data is at risk? What to do if you are affected?
The hackers' objective is clear: steal AI developer credentials (GitHub and npm tokens, cloud keys, API keys, Kubernetes service accounts and SSH keys). Once the infection is installed, the malware enrolls itself in Claude Code hooks as well as VS Code autoexecution tasks. Uninstalling the compromised package does not remove it.
For the first time, the malware also targets password managers like 1Password and Bitwarden. Aikido Security advises AI developers to immediately rotate their GitHub tokens, npm credentials, cloud API keys and CI/CD secrets if compromised packages have been installed.
Other recommended actions:
- check the lockfile for versions known to be compromised;
- pin dependencies to known safe versions
- look for signs of infection
A threat that extends far beyond Mistral AI
Rather than targeting a single product, the attackers compromise of entire groups of related packages. This significantly increases the scale and potential impact of the campaign. It affected the npm and PyPI ecosystems simultaneously. Hence the major risks.
THE self-propagation mechanism remains largely unchanged compared to previous waves. It uses stolen GitHub/npm credentials, identifies packages related to the compromised maintainer, injects malicious payload into archives and republishes infected versions.
L'Mini Shai-Hulud attack is perhaps only just beginning. And the next target might be in your own development environment.
In any case, this flaw is a stark reminder: artificial intelligence is software like any other, vulnerable to traditional hacking methods. For Mistral AI, the challenge will be to prove the resilience of its ecosystem as the race for AI intensifies. One thing is certain: safety will no longer be an option, but the main driver in the development of future models.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
