Compromised `mistralai` PyPI Package Deployed Linux Credential-Stealing Malware
Microsoft Threat Intelligence warned that version 2.4.6 of the widely used mistralai package on PyPI was compromised in a software supply-chain attack, with malicious code inserted into mistralai/client/__init__.py. The code executed on import, retrieved a second-stage payload from a remote server, and deployed malware on Linux systems. The payload was written to /tmp/transformers.pyz to resemble legitimate Hugging Face tooling, while additional components including pgmonitor.py and a persistent systemd service named pgsql-monitor.service were used to blend into developer and database-monitoring environments. Microsoft said the malware primarily targeted credentials and persistence, with the potential to expose GitHub tokens, cloud API keys, SSH keys, npm credentials, and CI/CD secrets.
Researchers said the intrusion may be tied to the broader Mini Shai-Hulud campaign, which has also been associated with compromised TanStack packages and multiple Mistral npm SDK packages, suggesting an expanding effort against developer ecosystems and trusted package repositories. The malware also contained geo-aware logic, including a destructive branch that could trigger system wiping on hosts appearing to be in Israel or Iran, while avoiding Russian-language systems. Microsoft urged defenders to isolate affected Linux hosts, block outbound connections to the malicious infrastructure, hunt for indicators including /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service, and rotate any credentials that may have been exposed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers link incident to broader 'Mini Shai-Hulud' supply-chain campaign
Researchers said the mistralai compromise may be connected to the broader 'Mini Shai-Hulud' campaign, which has also been associated with compromised TanStack JavaScript packages and multiple Mistral npm SDK packages. The campaign appears aimed at harvesting high-value developer and cloud credentials from trusted software ecosystems.
Microsoft discloses and investigates the mistralai package compromise
On May 12, 2026, Microsoft Threat Intelligence reported it was investigating the compromised mistralai 2.4.6 package and published technical details of the malicious behavior. Microsoft assessed the payload as primarily a credential stealer and warned defenders to isolate affected Linux hosts, block the malicious IP, hunt for indicators, and rotate exposed credentials.
Malicious payload targets Linux systems for credential theft and persistence
The second-stage malware downloaded as /tmp/transformers.pyz targeted Linux environments, stealing credentials and establishing persistence via files including pgmonitor.py and a systemd service named pgsql-monitor.service. The malware also contained geo-aware destructive logic that could wipe systems appearing to be in Israel or Iran while avoiding Russian-language systems.
Attackers publish compromised mistralai 2.4.6 package to PyPI
The PyPI package mistralai version 2.4.6 was compromised in a software supply-chain attack. Malicious code was inserted into mistralai/client/__init__.py so it would execute on import and fetch a second-stage payload.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
GHSA-JGG6-4RPR-WFH7: GHSA-JGG6-4RPR-WFH7: Mistral AI SDK Supply Chain Compromise via Mini Shai-Hulud Worm | CVEReports
cvereports.com
Open sourceCompromised Mistral AI and TanStack packages may have exposed GitHub, cloud and CI/CD credentials in 'mini Shai Hulud' malware infection - supply-chain campaign spreads across npm and AI developer ecosystems like wildfire | Tom's Hardware
tomshardware.com
Open sourcemistralai PyPI package Compromised to Inject Malicious Code - Microsoft Warns
cybersecuritynews.com
Open source[SECURITY] Supply chain compromise in mistralai 2.4.6 - backdoor downloads and executes payload from hardcoded IP · Issue #523 · mistralai/client-python
github.com
Open sourceMalicious dropper in mistralai 2.4.6 PyPI package · Advisory · mistralai/client-python · GitHub
github.com
Open sourceSecurity advisories | Mistral Docs
docs.mistral.ai
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026
Backdoored LiteLLM PyPI Releases Stole Secrets and Targeted Kubernetes Clusters
Malicious versions `1.82.7` and `1.82.8` of the widely used `litellm` Python package were uploaded to PyPI after attackers used compromised publishing access, turning a popular AI gateway library into a supply-chain malware delivery vehicle. Researchers and project maintainers said the tainted code was absent from the upstream GitHub repository, indicating the compromise occurred in the release pipeline or during package publication. The malware executed on import in `1.82.7`, while `1.82.8` added a `litellm_init.pth` file that triggered on every Python interpreter startup, greatly expanding exposure even beyond direct use of the package. PyPI removed or quarantined the malicious releases, and `1.82.6` was identified as the last known clean version. The payload harvested a broad range of secrets, including cloud credentials, SSH keys, API tokens, Kubernetes service-account tokens, database and CI/CD secrets, `.env` files, shell histories, TLS keys, and cryptocurrency wallet data, then encrypted and exfiltrated the data to attacker-controlled infrastructure including `models.litellm.cloud`. Multiple reports said the malware also attempted Kubernetes lateral movement by enumerating clusters, dumping secrets, and deploying privileged pods across nodes, while establishing Linux persistence through a disguised `systemd` user service that contacted `checkmarx.zone` for follow-on payloads. Researchers linked the intrusion with high confidence to **TeamPCP**, tying it to the earlier Trivy compromise and a broader campaign spanning GitHub Actions, Docker Hub, npm, OpenVSX, and PyPI; organizations that installed and ran the affected versions were urged to assume full credential compromise, rotate secrets, inspect for persistence, and review Kubernetes environments for rogue activity.
Jun 15, 2026
Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the **Mini Shai-Hulud** campaign compromised widely used developer packages across **npm, PyPI, and Packagist/Composer**, including SAP CAP components, `intercom-client`, `intercom/intercom-php`, and PyTorch Lightning’s `lightning` package. The malicious releases delivered an obfuscated credential stealer executed with the **Bun** runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to **TeamPCP**. Reports estimated exposure ranging from more than **1,000** to roughly **1,800 repositories**, with no `CVE`, `GHSA`, or `OSV` identifiers assigned at disclosure. Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s `cloudmtabot` account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm **OIDC trusted publishing** policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting `.vscode/tasks.json` entries with `"runOn": "folderOpen"` and `.claude/settings.json` `SessionStart` hooks, a technique compared to the earlier **PolinRider/TasksJacker** tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized `folderOpen` tasks and Claude hooks.
May 1, 2026