Security advisories | Mistral Docs
TanStack supply chain attack compromises Mistral AI SDK packages on npm and PyPI
Summary
Mistral AI's SDKs were impacted by a supply chain attack via compromised TanStack dependency, resulting in malicious npm and PyPI package versions being published. The npm packages were inoffensive (broken references), but the PyPI package (v2.4.6) contained malicious code that harvests credentials on Linux systems. Mistral's infrastructure was not compromised; affected versions have been removed and forensics confirm an affected developer device was involved.
Full text
Security advisories This page lists security advisories that may affect Mistral SDKs, packages, or developer tooling. TanStack supply chain attack affecting Mistral AI SDK packagesCopy section linkTanStack supply chain attack affecting Mistral AI SDK packages Reference: MAI-2026-002 Status: Mitigated Published: May 12, 2026 Impact: Potential risk to systems that installed affected packages Mistral was impacted by a supply chain attack caused by the compromission of TanStack, a third-party software. An automated worm associated with the attack led to compromised NPM and PyPI SDKs versions being published. An affected developer device was involved. Forensics investigation showed that Mistral infrastructure was not compromised. iInformationThe compromised npm packages were uploaded on May 11, 2026 at 22:45 UTC and removed on May 12, 2026 at 01:53 UTC. The compromised PyPI release was uploaded on May 12, 2026 at 00:05 UTC and has been removed on May 12, 2026 at 03:05 UTC. Previous versions are not affected by this advisory. GitHub security advisories: PyPI: GHSA-wx9m-wx4f-4cmg npm: GHSA-jgg6-4rpr-wfh7 ImpactCopy section linkImpact npmCopy section linknpm The compromised npm packages are inoffensive. Setup.mjs references a file that does not exist, making it useless. We still recommend removing them if you are impacted, see IOC. PyPICopy section linkPyPI The compromised PyPI package runs on a malicious script on import. It spawns a background process to harvest credentials from common locations. To check if you are impacted, see IOC. Affected versionsCopy section linkAffected versions You are affected if one of the package versions below was installed in any environment during the exposure window or is present in a lockfile, build artifact, container image, package cache, or deployment image. EcosystemPackageAffected versionsnpm@mistralai/mistralai2.2.2, 2.2.3, 2.2.4npm@mistralai/mistralai-azure1.7.1, 1.7.2, 1.7.3npm@mistralai/mistralai-gcp1.7.1, 1.7.2, 1.7.3PyPImistralai2.4.6 Indicators of CompromiseCopy section linkIndicators of Compromise PyPICopy section linkPyPI Check installed version and compare it against vulnerable version 2.4.6: pip show mistralai | grep -i ^versionpip show mistralai | grep -i ^version Check common Python dependency files and lockfiles: grep -n -E 'mistralai\b.*2\.4\.6' \ requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/nullgrep -n -E 'mistralai\b.*2\.4\.6' \ requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null The malicious code was injected into src/mistralai/client/__init__.py and runs at import time on Linux only. It downloads https://83.142.209.194/transformers.pyz to /tmp/transformers.pyz and executes it as a detached background process. Look for any of the following on Linux hosts that may have run import mistralai from version 2.4.6: File /tmp/transformers.pyz Process started via python /tmp/transformers.pyz Environment variable MISTRAL_INIT=1 Outbound connections to 83[.]142[.]209[.]194 You may also run the following script which will flag known malicious files. iInformationYou are not affected by this advisory if you did not install the affected package versions and they are not present in your lockfiles, build caches, deployment artifacts, or package mirrors. If the command finds an affected version, continue with the remediation steps below. If you use private package mirrors, caches, or container base images, check those copies too. npmCopy section linknpm Check installed versions: npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcpnpm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp Check common JavaScript lockfiles: grep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2\.2\.[2-4]|1\.7\.[1-3]' \ package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/nullgrep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2\.2\.[2-4]|1\.7\.[1-3]' \ package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null Look for any of the following files router_init.js (embedded in all @tanstack packages): ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c tanstack_runner.js (from git commit): 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 @tanstack/setup package.json: 7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b RemediationCopy section linkRemediation Stop using the affected package version immediately. Clean systems where one of these packages has been installed (see StepSecurity’s recovery steps). Rotate all secrets accessible from those systems. Check cloud audit logs for suspicious activities. Monitor connections to the following C2 indicators: api[.]masscan[.]cloud filev2[.]getsession[.]org git-tanstack[.]com seed1[.]getsession[.]org 83[.]142[.]209[.]194 (PyPi payload host) ChangelogCopy section linkChangelog 14/05/2026 - 09:55 UTC: Update advisory with latest information. 13/05/2026 - 09:00 UTC: Incident is mitigated. 12/05/2026 - 14:11 UTC: Updated the severity of compromised NPM packages following our internal findings
Indicators of Compromise
- ip — 83.142.209.194
- url — https://83.142.209.194/transformers.pyz
- malware — transformers.pyz