GoKawiilMicrosoft Threat Intelligence said in an X post on Monday that it is investigating a compromise of the mistralai PyPI package after attackers reportedly injected malicious code that automatically executed on import, downloaded a secondary payload disguised as transformers.pyz, and launched malware on Linux systems — the latest incident researchers believe may be linked to the broader “Mini Shai-Hulud” software supply-chain campaign targeting developer ecosystems.
According to Microsoft, the compromised mistralai package version 2.4.6 contained malicious code inserted into mistralai/client/__init__.py that silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background whenever the package was imported on Linux machines.
The filename appears deliberately chosen to resemble Hugging Face’s widely used Transformers AI framework, potentially allowing the malware to blend into machine learning environments and evade suspicion. Microsoft said the second-stage payload functioned primarily as a credential stealer, but also contained country-aware logic and a destructive branch capable of executing rm -rf / under certain geographic conditions. The payload contained logic designed to avoid Russian-language environments, a behavior commonly observed in some cybercriminal malware campaigns, though such checks are not definitive indicators of attribution.
Latest Videos From
Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux.… pic.twitter.com/9Xfb07HciaMay 12, 2026
The disclosure comes amid a growing wave of software supply-chain compromises affecting both npm and PyPI ecosystems. Earlier Monday, security firm Aikido warned that malicious package versions tied to the popular TanStack JavaScript ecosystem had been compromised in two separate attack waves beginning around 19:20 UTC. Affected packages reportedly included @tanstack/react-router, @tanstack/history, and @tanstack/router-core, components collectively downloaded tens of millions of times per week.
Hours later, Aikido said several Mistral npm SDK packages had also been compromised as part of the same ongoing “Mini Shai-Hulud” campaign, including @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. The firm warned developers to immediately rotate GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets if affected packages had been installed.
Microsoft has not publicly attributed the PyPI compromise to Mini Shai-Hulud. Still, the incidents share several characteristics, including malicious code inserted into trusted packages, staged payload downloads, credential theft, and automatic execution during installation or import. That overlap has raised concerns that attackers are increasingly targeting developer infrastructure itself rather than end users directly.
Modern development environments often contain high-value credentials, including GitHub personal access tokens, cloud deployment keys, SSH credentials, npm publishing tokens, and CI/CD system access. A compromised developer workstation or CI runner can therefore provide attackers with a path into much larger software ecosystems, allowing malicious updates to spread through legitimate package distribution channels.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
... continue reading