Microsoft Threat Intelligence has discovered a compromise of the popular mistralai library version 2.4.6 in the PyPI repository. The attackers have implemented a malicious script that steals developer credentials, but ignores Russian-language systems.
Microsoft Threat Intelligence has discovered a compromise of the popular mistralai library version 2.4.6 in the PyPI repository. The attackers have implemented a malicious script that steals developer credentials, but ignores Russian-language systems.
The incidentwas reported by Microsoft analysts in a post on X (Twitter). According to the researchers, the incident may be part of a broader campaign called Mini Shai-Hulud, which targets software supply chains and directly targets developer ecosystems.
The malicious code was inserted into the client initialization file (mistralai/client/init.py), allowing it to be automatically executed every time the library is imported. The program downloads a payload called transformers.pyz, mimicking the well-known Hugging Face Transformers framework to avoid ML experts’ suspicions.
Code analysis showed that the virus checks the language settings and the host location. If the system is identified as Russian-speaking, the malware stops working. At the same time, a destructive function is provided for users in Israel and Iran: with a probability of one in six, the program runs the command rm -rf / to completely delete data.
In parallel with the PyPI incident, cybersecurity firm Aikido warned of similar attacks in the JavaScript ecosystem. Attackers compromised popular TanStack packages, including @tanstack/react-router and @tanstack/history, which have tens of millions of downloads per week. The Mistral SDK npm packages for Azure and GCP were also affected.
While Microsoft has not officially linked the PyPI hack to the Mini Shai-Hulud campaign, Aikido experts note that the attack methods are identical: code injection into trusted packages, stealing secrets, and automatic execution during installation. Developers are advised to immediately change their GitHub tokens, npm credentials, and cloud API keys if they used vulnerable versions of packages.
