Key Takeaways:
- A sophisticated supply-chain attack compromised over 400 software packages, including those from AI darling Mistral AI and widely used developer tool TanStack, injecting credential-stealing malware that put enterprise data at risk.
Back
Mistral AI, TanStack hit by malware infecting over 400 packages
A sophisticated supply-chain attack compromised over 400 software packages, including those from AI darling Mistral AI and widely used developer tool TanStack, injecting credential-stealing malware that put enterprise data at risk.
The attack, attributed to the TeamPCP threat group and dubbed “Shai-Hulud,” represents a significant escalation in software supply-chain attacks, leveraging stolen credentials to publish malicious package versions with valid security attestations. Microsoft Threat Intelligence first raised the alarm, noting that a compromised Mistral AI package on the PyPI repository was delivering malware designed to steal developer credentials and access tokens. The malware, cleverly named 'transformers.pyz' to mimic a popular Hugging Face library, was part of a broader campaign that has been active since at least September.
"The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments,” Microsoft wrote in a post on X. The malware included geofencing to avoid Russian-language systems and a destructive routine with a 1-in-6 chance of wiping files on systems appearing to be in Israel or Iran.
The campaign’s scope quickly expanded beyond Mistral AI, with security firms like Endor Labs, Aikido, and Socket tracking between 160 and 416 compromised package artifacts across both the npm and PyPI ecosystems. The attackers exploited a series of vulnerabilities, including a risky GitHub Actions workflow and OIDC token theft, to gain access to legitimate developer accounts. This allowed them to publish malicious versions of at least 42 TanStack packages that appeared cryptographically authentic, complete with valid SLSA Build Level 3 provenance and Sigstore attestations. The malware was designed to exfiltrate a wide range of developer secrets, from GitHub tokens and SSH keys to credentials for AWS, Kubernetes, and HashiCorp Vault.
The incident exposes critical vulnerabilities in the open-source software supply chain that underpins much of the modern technology sector, from AI development to enterprise applications. For companies like Mistral AI, which competes with giants like OpenAI and Anthropic, and the countless developers relying on TanStack's tools, the attack erodes trust and forces a costly scramble to contain the damage. The use of valid security attestations on malicious packages is particularly concerning, as it undermines a key defense mechanism developers use to verify software authenticity. The long-term impact for investors may be a re-evaluation of the security risks inherent in the rapid, open-source-driven development cycles favored by the tech industry, potentially favoring companies with more rigorous, albeit slower, security postures.
This article is for informational purposes only and does not constitute investment advice.
[1] Hackers implant malicious code in Mistral AI software packages[2] Hackers Insert Malware Into Mistral AI Software Download[3] Mistral AI and TanStack hit in supply chain attack with SLSA-attested malware[4] Shai Hulud attack ships signed malicious TanStack, Mistral npm packages[5] Mistral AI SDK, TanStack Router hit in npm software supply chain attack
