Product

Resources

Company

Talk to a real human

Sign up today

High severityResolved — QuarantinedPyPISupply chainCredential exfilWiperMini Shai-Hulud

mistralai

A supply-chain compromise of the official Mistral AI Python SDK on PyPI. Version 2.4.6, a release Mistral AI never published, contained code that executed on import, downloaded a second-stage payload, and harvested credentials. The malware also included a 1-in-6 destructive branch that ran `rm -rf /` on Linux hosts geolocated to Israel or Iran. PyPI quarantined the package within hours of disclosure by Microsoft.

Are you affected?

Almost certainly not. You are only exposed if you installed or upgraded mistralai to version 2.4.6 between May 12, 2026 at 00:05 UTC and the time PyPI quarantined the release. Builds pinned to 2.4.5 or earlier were never exposed.

Run this from your project root to confirm:

# From your project root
$ pip show mistralai | grep Version
# If 2.4.5 or earlier, you're clear. If 2.4.6, see "If you were exposed" below.

What happened

On May 12, 2026 at approximately 00:05 UTC, an attacker uploaded mistralai 2.4.6 to PyPI. Mistral AI never released that version. The malicious release came through the project's official publish path, consistent with a compromised maintainer credential or token rather than a typosquat. The activity is being tracked as part of the "Mini Shai-Hulud" campaign (attributed to a threat actor called TeamPCP) alongside contemporaneous compromises of TanStack, UiPath, OpenSearch, and Guardrails AI packages.

The package modified mistralai/client/__init__.py, the first file that runs when a developer imports the library. The injected code uses curl with TLS verification disabled to fetch hxxps://83[.]142[.]209[.]194/transformers.pyz, saves it to /tmp/transformers.pyz, and launches it as a background Python process with stdout and stderr silenced. The filename transformers.pyz was deliberately chosen to mimic the widely-used Hugging Face Transformers library and blend into ML and developer environments.

The second-stage payload is a credential stealer that harvests secrets and access tokens from the host. It installs persistence as pgsql-monitor.service with a helper file named pgmonitor.py, both designed to look like PostgreSQL monitoring tooling. Two notable evasion features: country-aware logic that aborts execution in Russian-language environments, and a geofenced destructive branch with a 1-in-6 probability of running rm -rf / when the host appears to be in Israel or Iran.

Timeline

May 12 · 00:05 UTC
Malicious mistralai 2.4.6 uploaded to PyPI through compromised publish credentials.
May 12 · [TBD] UTC
Microsoft Threat Intelligence detects the package and reports to PyPI and Mistral AI.
May 12 · [TBD] UTC
PyPI quarantines mistralai 2.4.6.
May 12 · [TBD] UTC
Public disclosure links the package to the "Mini Shai-Hulud" campaign (also affecting TanStack, UiPath, OpenSearch, Guardrails AI).
May 12 · [TBD] UTC
Indicators of compromise published. Root research team confirms customer builds unaffected.

If you were exposed

If pip show mistralai reports version 2.4.6, treat the host as potentially compromised. The destructive branch may have triggered on Linux systems geolocated to Israel or Iran. Microsoft's recommended mitigations:

  • Isolate the affected Linux host from your network.
  • Block outbound connections to 83.142.209.194.
  • Hunt for /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service. Remove if found and review related logs.
  • Rotate any credentials present on the host: cloud, GitHub, CI/CD, SSH, and API tokens.
  • Pin mistralai to 2.4.5 or earlier in your requirements file. Clear __pycache__ and any cached wheels, then reinstall from a clean lockfile.

Stay on the version you're on. Minus the CVEs.

Root patches your dependencies in place and vets every new release. Your code stays the same. Your risk doesn't.

Try Root free
Talk to a real human