Mistral hit by supply‑chain breach

Mistral AI said attackers temporarily compromised one of its source-code management systems on May 12 through the wider TanStack supply-chain attack, and a hacking group calling itself TeamPCP is now claiming to sell internal repositories taken in that intrusion. The French AI company said the attack was contained and that its hosted services, managed user data and research and testing environments were not compromised. Public posts reviewed by security outlets show TeamPCP offering nearly 450 alleged repositories for $25,000 and threatening to leak them if no buyer emerges within a week. Mistral has disputed the broader theft claims, saying attackers accessed only “certain non-critical code repositories.” ### How did Mistral say the breach began? Mistral’s security advisory, published May 12, said the company was affected by a supply-chain attack caused by the compromise of TanStack, which it described as third-party software. The advisory said an “affected developer device was involved” and that an automated worm associated with the attack led to compromised npm and PyPI SDK versions being published. (numerama.com) SecurityWeek reported that the wider Mini Shai-Hulud campaign compromised more than 170 packages across npm and PyPI and was linked to TeamPCP. BleepingComputer reported that the incident began with the compromise of official packages from TanStack and Mistral AI through stolen CI/CD credentials and legitimate workflows before spreading to other projects. ### Which Mistral packages were affected? (docs.mistral.ai) Mistral’s advisory named three npm packages — `@mistralai/mistralai`, `@mistralai/mistralai-azure` and `@mistralai/mistralai-gcp` — as well as the PyPI package `mistralai`. The company said compromised npm versions were uploaded on May 11 at 22:45 UTC and removed on May 12 at 01:53 UTC, while the compromised PyPI release was uploaded on May 12 at 00:05 UTC and removed at 03:05 UTC. (securityweek.com) The same advisory said the npm packages were effectively harmless because a referenced file did not exist, but the PyPI package version 2.4.6 ran a malicious script on import on Linux systems. Mistral said that script downloaded a file from an external IP address, executed it as a background process and attempted to harvest credentials from common locations. ### What exactly are the attackers claiming to have stolen? (docs.mistral.ai) BleepingComputer reported on May 14 that TeamPCP said it had taken nearly 5 gigabytes of “internal repositories and source code” used by Mistral for training, fine-tuning, benchmarking, model delivery and inference work. The same report said the group was asking $25,000 for “nearly 450 repositories” and threatened to leak the material publicly if no buyer was found. (docs.mistral.ai) Numerama reported that the forum post advertised about 5 gigabytes of internal data and 450 repositories, but said the authenticity of the material being offered for sale had not been publicly verified. That distinction matters here: the sale post is public, but independent confirmation of the full data set is not. (bleepingcomputer.com) ### What has Mistral confirmed, and what has it denied? Mistral told Numerama that “one of our code management systems” was temporarily compromised on May 12 through the third-party supply-chain attack and that attackers contaminated some SDK packages for a brief period. The company said it neutralized the attack quickly and conducted an investigation with authorities. (numerama.com) The company told both Numerama and BleepingComputer that attackers did not reach customer data, hosted services, or research and testing environments. BleepingComputer reported that Mistral said forensic work found the impacted data was not part of its core code repositories, while Numerama quoted the company as saying attackers accessed no data beyond “certain non-critical code repositories.” (numerama.com) ### Why is this tied to TanStack and Mini Shai-Hulud? BleepingComputer reported on May 12 that the Shai-Hulud attack used hijacked OpenID Connect tokens to publish malicious package versions with valid provenance attestations, making them appear authentic to developers. The report cited TanStack’s post-mortem as saying attackers chained weaknesses involving a `pull_request_target` workflow, GitHub Actions cache poisoning and OIDC token theft from runner memory. (bleepingcomputer.com) SecurityWeek said the same campaign targeted credentials, API keys, cloud secrets and other tokens and attempted to propagate by using compromised npm and GitHub Actions tokens to publish malicious versions of packages the victim could write to. That broader mechanism is the link between the package compromise and Mistral’s later statement that one of its code-management systems was temporarily breached. (bleepingcomputer.com) ### What should developers and customers watch next? Mistral’s May 12 advisory tells users to check whether they installed the affected package versions, inspect lockfiles and caches, and look for listed indicators of compromise on Linux hosts. The company said users who did not install those versions are not affected by the advisory. As of May 15, the next concrete checkpoint is whether TeamPCP publishes samples or follows through on its one-week leak threat, and whether Mistral or outside researchers authenticate any of the advertised repositories. (securityweek.com) Mistral’s public security advisory remains the company’s primary remediation document for affected SDK users. (bleepingcomputer.com) (docs.mistral.ai)