A trusted AI developer tool just became a trap. Hackers secretly planted malware inside an official Mistral AI software package, and thousands of developers may have unknowingly downloaded it. Microsoft is now sounding the alarm on what could be one of the most alarming software supply chain attacks of 2026.
What Microsoft Found Inside the Package
Microsoft Threat Intelligence reported on Monday that it is investigating a compromise of the mistralai PyPI package, after attackers injected malicious code that automatically executed on import, downloaded a secondary payload disguised as transformers.pyz, and launched malware on Linux systems. The compromised package, version 2.4.6, contained malicious code inserted into mistralai/client/__init__.py that silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background whenever the package was imported on Linux machines. The filename appears deliberately chosen to resemble Hugging Face’s widely used Transformers AI framework, potentially allowing the malware to blend into machine learning environments and evade suspicion. It was a calculated move. Developers working in AI environments see files named “transformers” every day, making it easy to overlook. According to Microsoft’s analysis, the injected code silently used curl to retrieve the secondary payload before launching it as a detached background process designed to continue operating independently of the original Python session. The malware also reportedly suppressed execution errors and limited activity to Linux systems, the dominant operating system across servers, cloud environments, and many AI workloads.
What This Malware Was Built to Do
This was not a simple script. The malware came packed with multiple layers of threat. The malware targets 1Password and Bitwarden vaults alongside SSH keys, AWS and GCP credentials, Kubernetes service accounts, GitHub tokens, and npm publishing credentials. The stealer exfiltrates via three redundant channels: a typosquat domain (git-tanstack.com), the decentralized Session messenger network, and Dune-themed GitHub repositories created with stolen tokens. What makes it even more alarming is its built-in geopolitical behavior. The stealer includes basic geofencing logic, specifically avoiding execution on hosts where Russian language settings are detected. A destructive secondary routine is also present. In environments that appear to originate from Israel or Iran, the malware introduces a probabilistic sabotage mechanism with a 1-in-6 chance of running a recursive wipe command (rm -rf/). The payload also uses stolen GitHub tokens to commit poisoned configuration files (.claude/settings.json, .vscode/tasks.json) into victim repositories via GitHub’s GraphQL API. Other developers who clone or pull these repositories inherit the malicious configurations. The attacker designed this as a self-spreading vector that targets Claude Code and VS Code users. In short, one developer downloading a poisoned package could trigger a chain reaction across an entire organization.
The Bigger Picture: A Massive Supply Chain Campaign
The Mistral AI attack was not an isolated incident. It is part of a much wider operation. Attributed to the TeamPCP threat group, the attack started with compromising dozens of TanStack and Mistral AI packages but quickly extended to other popular projects, like Guardrails AI, UiPath, and OpenSearch. A coordinated supply chain attack on May 11, 2026 compromised over 170 npm packages and 2 PyPI packages, totaling 404 malicious versions. Here is a snapshot of the scale of this attack:
| Target | Packages Hit | Weekly Downloads |
|---|---|---|
| TanStack (npm) | 42 packages, 84 malicious versions | ~56 million |
| UiPath (npm) | 65 packages | Not disclosed |
| Mistral AI (npm + PyPI) | Multiple SDK packages | Millions |
| Squawk (npm) | 20 packages, 87 versions | Tens of thousands |
| Guardrails AI (PyPI) | 1 package | Not disclosed |
The cumulative weekly download volume of the compromised packages exceeds 518 million. @tanstack/react-router alone receives 12.7 million weekly downloads. What makes the latest TeamPCP supply chain attack notable is the abuse of provenance attestation to publish malicious packages that are indistinguishable from legitimate ones. The attackers published 84 malicious versions across 42 TanStack packages that had valid provenance, valid Sigstore attestations, and legitimate GitHub Actions signatures. From a developer’s perspective, the packages appeared to be cryptographically authentic, and there was no indication of a compromise. Team PCP is described by Wiz as “a financially motivated threat actor specializing in cloud-native infrastructure compromise.” First tracked in late 2025, the group conducts worm-driven campaigns targeting exposed Docker APIs, Kubernetes clusters, and CI/CD pipelines.
Mistral’s Response and What Developers Must Do Now
Mistral AI moved quickly to address the situation. Mistral was impacted by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm and PyPI package versions being published. Current investigation indicates that an affected developer device was involved. The company says it has no indication that Mistral infrastructure was compromised. The compromised npm packages were available only between May 11 at 22:45 UTC and May 12 at 01:53 UTC. The compromised PyPI release mistralai==2.4.6 was uploaded around May 12 at 00:05 UTC, and the project is currently quarantined on PyPI. Previous versions are not affected by this advisory. Any application that imported mistralai or guardrails during the attack window should be treated as potentially compromised, regardless of whether pip install ran in a sandboxed environment. If your team was running any version of these packages during that window, here is what security experts say you need to do right away:
- Rotate immediately: GitHub tokens, npm credentials, cloud API keys, SSH keys, and CI/CD secrets
- Isolate affected Linux machines from your network to prevent lateral movement
- Block the IP address 83.142.209.194 at the firewall level
- Search for these files: /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service on all Linux systems
- Inspect .claude/ and .vscode/ directories for any unauthorized configuration changes
- Safe versions to use: mistralai 2.4.5 or earlier, guardrails-ai 0.10.0 or earlier
Microsoft’s advisory cautioned defenders to assume stolen keys and session tokens could grant access to code repositories, cloud accounts, and other developer resources. The malware also installs a destructive ‘dead man’s switch’ monitor which attempts to delete the user’s entire home directory if a developer revokes a stolen GitHub token. That detail alone should push every affected team to act before revoking anything, and to do so only after fully cleaning their systems. This attack is a stark reminder that even the most trusted tools in your developer toolkit can be turned into weapons overnight. The Mini Shai-Hulud campaign has been evolving since September 2025, growing more sophisticated with each wave, and it shows no signs of stopping. Every developer, security team, and organization relying on open source packages needs to treat supply chain hygiene as a top priority, not an afterthought. The next poisoned package could already be sitting in someone’s pipeline right now. What do you think about the growing threat of software supply chain attacks? Share your thoughts in the comments below.
