Mistral AI and TanStack hit in supply chain attack with SLSA-attested malware
Attackers compromised the official Mistral AI Python package on PyPI along with hundreds of other widely-used developer packages, exposing GitHub tokens, cloud credentials, and password vaults across the AI and crypto developer ecosystem.
Microsoft Threat Intelligence said on May 11, it was investigating the mistralai PyPI package version 2.4.6 after discovering malicious code injected in mistralai/client/__init__.py that executed on import, downloading a secondary payload from 83.142.209.194 to /tmp/transformers.pyz and launching it on Linux systems.
Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux.… pic.twitter.com/9Xfb07Hcia
— Microsoft Threat Intelligence (@MsftSecIntel) May 12, 2026
The filename impersonates Hugging Face’s widely used Transformers AI framework. The Mistral compromise is one piece of a coordinated campaign researchers are calling Mini Shai-Hulud.
Security platform SafeDep reported that the operation compromised over 170 packages and published 404 malicious versions between May 11 and 12.
The attack carries CVE-2026-45321 with a CVSS score of 9.6, rating it critical severity.
The SLSA provenance trust model just broke
What makes this attack structurally unprecedented: the malicious packages carried valid SLSA Build Level 3 provenance attestations.
SLSA provenance is a cryptographic certificate generated by Sigstore meant to verify that a package was built from a trusted source.
Snyk reported the TanStack attack is the first documented case of malicious npm packages with valid SLSA provenance, meaning attestation-based supply chain defenses are now demonstrably insufficient.
The attackers, identified as TeamPCP, chained three vulnerabilities: a pull_request_target workflow misconfiguration, GitHub Actions cache poisoning, and runtime memory extraction of an OIDC token from the GitHub Actions runner process.
The malicious commit was authored under a fabricated identity impersonating the Anthropic Claude GitHub App, prefixed with [skip ci] to suppress automated checks.
What the malware steals and how it spreads
As Cryptopolitan reported on the January 2026 Trust Wallet incident tied to $8.5 million in losses, the Shai-Hulud worm has been evolving across multiple waves since September 2025.
This latest variant adds password vault theft, with Wiz researchers documenting that the malware now targets 1Password and Bitwarden vaults alongside SSH keys, AWS and GCP credentials, Kubernetes service accounts, GitHub tokens, and npm publishing credentials.
The stealer exfiltrates via three redundant channels: a typosquat domain (git-tanstack.com), the decentralized Session messenger network, and Dune-themed GitHub repositories created with stolen tokens.
The malware exits if Russian language settings are detected. On systems geolocated to Israel or Iran, it introduces a 1-in-6 probability of executing recursive wipe (rm -rf /).
How Mistral and the broader ecosystem responded
Mistral published a security advisory on May 12 saying its core infrastructure was not compromised. The company traced the incident to a compromised developer device tied to the broader TanStack supply-chain campaign.
The mistralai==2.4.6 release was uploaded shortly after midnight UTC on May 12, before PyPI quarantined the project.
Compromised npm packages, including @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp, were available for several hours before removal.
The cumulative weekly download volume of the compromised packages exceeds 518 million. @tanstack/react-router alone receives 12.7 million weekly downloads.
Developers who installed affected versions are advised to rotate cloud credentials, GitHub tokens, SSH keys, and exchange API keys, and inspect .claude/ and .vscode/ directories for persistence hooks.