May 18, 2026·5 min read·30 visits
Mistral AI's official NPM and PyPI packages were compromised by the Mini Shai-Hulud worm via a developer's stolen session tokens. Malicious package versions containing secondary dropper scripts were published, requiring immediate dependency auditing and secret rotation.
A significant supply chain compromise affected official Mistral AI software development kits (SDKs) on both NPM and PyPI ecosystems. The incident involved an automated worm known as 'Mini Shai-Hulud' that leveraged stolen maintainer credentials to publish malicious packages containing secondary dropper payloads.
The vulnerability represents a direct supply chain compromise affecting the official software development kits published by Mistral AI. The attack surface encompasses developer workstations, CI/CD pipelines, and any downstream systems consuming the affected dependencies from the NPM and PyPI registries.
The impacted components include multiple @mistralai scoped packages on NPM, specifically @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. A parallel compromise occurred in the Python ecosystem, affecting the mistralai package version 2.4.6 on PyPI.
The root cause was not a flaw in the Mistral SDK codebase itself, but rather the compromise of the software distribution pipeline. An automated worm utilized stolen authentication tokens to masquerade as an authorized maintainer, subverting the trust controls inherent in package management ecosystems.
The initial vector of the compromise traces back to a third-party developer ecosystem. The automated worm, designated 'Mini Shai-Hulud', originally targeted maintainers of the TanStack project. The worm acquired access to developer environments by stealing authentication tokens and session cookies associated with NPM and PyPI registries.
A Mistral AI developer held maintainer privileges for both the targeted third-party libraries and official Mistral AI repositories. The worm compromised this specific developer's local environment, granting the malware administrative access to Mistral's package publishing pipeline.
Once the local environment was compromised, the worm autonomously enumerated all packages for which the infected developer possessed publishing rights. It then initiated automated uploads of new package versions containing the embedded malicious payload, bypassing manual code review processes.
The injected payload varied in functionality depending on the target ecosystem. The malicious code published to the @mistralai NPM packages functioned as a dropper, designed to fetch and execute a secondary payload from a remote command-and-control server.
Analysis from multiple security vendors confirmed that the NPM variant of the dropper was broken. Execution failures within the post-install script prevented the final malware stage from running successfully on many victim machines. This execution failure mitigated the immediate technical impact for NPM consumers.
Conversely, the PyPI payload embedded within mistralai==2.4.6 was fully functional. This variant successfully executed its primary objectives, which included credential exfiltration and the subsequent propagation of the worm to newly infected developer environments.
The attack methodology relies entirely on subverting developer trust and manipulating package manager behaviors. The worm hooks into the installation phase of the package lifecycle. For NPM, this typically involves defining a preinstall or postinstall script within the malicious package.json.
When a victim executes a standard installation command, the package manager inadvertently triggers the worm's bootstrap script. The script immediately attempts to spawn a hidden shell process to execute encoded instructions or initiate network connections to external infrastructure.
The fully functional PyPI payload actively scans the local environment for configuration files, environment variables, and SSH keys. It targets high-value secrets, particularly authentication tokens that allow the worm to authenticate against version control systems and package registries to continue its lateral movement.
Successful execution of the functional payload results in a total loss of confidentiality and integrity for the infected environment. The attacker gains the capability to execute arbitrary code with the privileges of the user invoking the package manager.
The primary objective of the payload is credential theft. Any secrets, API keys, or environment variables present on the compromised system must be considered compromised. Specifically, the MISTRAL_API_KEY is at high risk of exfiltration, leading to unauthorized resource consumption and potential data exposure on the Mistral AI platform.
Forensic investigations by Mistral AI concluded that their internal infrastructure and production systems were not compromised during this incident. The blast radius was strictly limited to systems consuming the affected package versions published via the single compromised developer account.
Immediate remediation requires verifying installed package versions across all projects. Development and security teams must audit package.json, package-lock.json, and requirements.txt files for any @mistralai scoped dependencies or the mistralai Python package updated around May 12, 2025.
If compromised versions are identified, they must be removed, and systems updated to the latest available clean versions published after the incident. Developers must forcefully purge local package caches to prevent accidental re-installation of the malicious artifacts.
# Purge NPM cache forcefully
npm cache clean --force
# Reinstall dependencies
npm installCredential rotation is mandatory for any environment that executed the compromised packages. Administrators must immediately revoke and reissue all secrets, API keys, and specifically any MISTRAL_API_KEY instances that were accessible to the affected system during the vulnerability window.
| Product | Affected Versions | Fixed Version |
|---|---|---|
@mistralai/mistralai Mistral AI | Versions published ~May 12, 2025 | Latest post-May 12 versions |
@mistralai/mistralai-azure Mistral AI | Versions published ~May 12, 2025 | Latest post-May 12 versions |
@mistralai/mistralai-gcp Mistral AI | Versions published ~May 12, 2025 | Latest post-May 12 versions |
mistralai (PyPI) Mistral AI | == 2.4.6 | Latest post-May 12 versions |
| Attribute | Detail |
|---|---|
| Attack Vector | Supply Chain Compromise |
| CWE ID | CWE-506 |
| Impact | Credential Theft / Arbitrary Code Execution |
| Vulnerable Packages | @mistralai/* (NPM), mistralai (PyPI) |
| Threat Actor / Malware | Mini Shai-Hulud Worm |
| Primary Target | Developer Environments |
Embedded Malicious Code
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.
A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.