Microsoft Uncovers Malware in Mistral AI PyPI Package
Microsoft Threat Intelligence reported that attackers inserted malicious code into a Mistral AI package on PyPI, which steals credentials from Linux systems as part of the Shai-Hulud campaign. The supply chain compromise tied to a TanStack incident highlights ongoing risks to developer tools on PyPI and NPM repositories.
“The file name transformers.pyz appears deliberately chosen to mimic the widely used Hugging Face Transformers library and blend into ML/dev environments,” Microsoft wrote. The company said the malware primarily worked as a credential stealer capable of collecting developer login information and access tokens.
Microsoft also said the malware avoided Russian-language systems and included code that could randomly delete files on some systems that appeared to be located in Israel or Iran. Reports link the latest attack to the broader “Shai-Hulud” malware campaign that began in September and targets software supply chains by infecting trusted developer packages and stealing credentials from compromised systems.
“Shai-Hulud, that spoopy Git worm thingy everyone’s been yapping about, has been open-sourced,” cybersecurity firm VX Underground wrote on X. “What does this mean? TeamPCP, or someone else, has released the fully weaponized worm for you.”
Microsoft advised organizations to isolate affected Linux systems, block the associated internet address, search for signs of infection, and replace potentially exposed credentials.
On Tuesday, Mistral said on its website that it was impacted by a supply-chain attack tied to the broader TanStack security incident. The company said an automated worm associated with the attack led to compromised NPM and PyPI package versions being published. “Current investigation indicates that an affected developer device was involved,” the company wrote. “We have no indication that Mistral infrastructure was compromised.”
NPM is one of the world’s largest software download platforms for JavaScript developers. It has increasingly become a target in crypto-related cyberattacks because many blockchain apps, wallets, and trading platforms rely on software distributed through the service. In September, Ledger CTO Charles Guillemet warned that hackers had compromised widely used NPM packages in an attack that could redirect crypto transactions and steal funds. “The affected packages have already been downloaded over 1 billion times, meaning the entire JavaScript ecosystem may be at risk,” Guillemet wrote on X at the time. Other recent attacks used poisoned NPM packages tied to fake crypto trading bots and blockchain tools to spread malware through Ethereum smart contracts.
Reader-supported
The Circuitry is a passion project I've always wanted to build, and I love the work behind it.
Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.
Any contribution is appreciated. If not, no pressure. Thanks for reading.
EXPERT TAKE
This supply chain attack via an affected developer device reinforces that enterprises using AI and ML packages must isolate systems quickly and rotate credentials to limit exposure from credential stealers.