Mini Shai-Hulud supply-chain attack targets Mistral and TanStack

Coordinated npm and PyPI supply-chain campaign dubbed "Mini Shai-Hulud" hit the Mistral AI and TanStack ecosystems on May 11, injecting credential-stealing malware into packages downloaded tens of millions of times per week. Attackers exposed GitHub tokens, cloud API keys, and CI/CD secrets across developer infrastructure.

Microsoft Threat Intelligence is investigating a compromise of mistralai PyPI package version 2.4.6. Attackers inserted malicious code into mistralai/client/__init__.py that triggers on import. The injected routine fetches a secondary payload from IP 83.142.209.194 via curl, writes it to /tmp/transformers.pyz, and launches it as a detached background process. The filename mimics Hugging Face's Transformers library.

The second-stage payload steals credentials with additional capabilities: country-aware branching logic and a destructive routine capable of executing rm -rf / under certain geographic conditions. The malware skips execution in Russian-language environments.

The npm campaign began the same day. Security firm Aikido identified two compromise waves starting around 19:20 UTC, affecting @tanstack/react-router, @tanstack/history, and @tanstack/router-core. Hours later, Aikido flagged @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp as part of the same campaign. Aikido recorded 373 malicious package-version entries across 169 package namespaces. Both campaigns used identical mechanics: trusted packages modified to include malicious code, staged payload downloads, automatic execution on install or import, and credential harvesting.

The critical threat vector is the CI/CD runner. Modern build pipelines hold GitHub personal access tokens, npm publishing credentials, cloud deployment keys, SSH certificates, and secrets manager access. A single poisoned dependency installed in a CI runner grants attackers direct access to publishing infrastructure, enabling malicious updates to propagate through legitimate distribution channels to downstream consumers. TanStack packages span millions of frontend applications.

FIG. 02 Mini Shai-Hulud attack chain: malicious package import → credential theft → CI/CD compromise. — Microsoft Threat Intelligence, Aikido

Microsoft and Aikido published specific remediation steps. Organizations must immediately isolate Linux hosts that imported or installed the compromised package versions, block outbound connections to 83.142.209.194, and hunt for /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service. Any environment where the affected packages were present must rotate GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets.

Mini Shai-Hulud targets developer tooling — AI SDKs and frontend frameworks — because developer machines and build pipelines are credential concentrators. The campaign mirrors SolarWinds, event-stream, 3CX, and XZ Utils: compromise the toolchain, inherit the trust. This campaign simultaneously targets AI infrastructure packages and mainstream frontend frameworks.

Additional packages may be identified as maintainers and security firms audit publishing credentials. Organizations relying on Mistral or TanStack dependencies in production CI/CD pipelines must audit installed versions against the compromised list immediately.

Sources

mistralai PyPI package version 2.4.6 contained malicious code inserted into mistralai/client/__init__.py that executes on import and downloads a payload to /tmp/transformers.pyz
"According to Microsoft, the compromised mistralai package version 2.4.6 contained malicious code inserted into mistralai/client/__init__.py that silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background whenever the package was imported on Linux machines."
tomshardware.com ↗
Microsoft Threat Intelligence is investigating (not confirmed) the mistralai PyPI package v2.4.6 compromise
"Microsoft Threat Intelligence said in an X post on Monday that it is investigating a compromise of the mistralai PyPI package after attackers reportedly injected malicious code that automatically executed on import, downloaded a secondary payload disguised as transformers.pyz, and launched malware on Linux systems"
tomshardware.com ↗
Malware payload fetched from remote IP 83.142.209.194
"Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux"
tomshardware.com ↗
Second-stage payload contained a destructive branch capable of executing rm -rf / under certain geographic conditions and avoids Russian-language environments
"Microsoft said the second-stage payload functioned primarily as a credential stealer, but also contained country-aware logic and a destructive branch capable of executing rm -rf / under certain geographic conditions. The payload contained logic designed to avoid Russian-language environments"
tomshardware.com ↗
TanStack npm packages compromised in two attack waves beginning around 19:20 UTC, including @tanstack/react-router, @tanstack/history, and @tanstack/router-core, collectively downloaded tens of millions of times per week
"Earlier Monday, security firm Aikido warned that malicious package versions tied to the popular TanStack JavaScript ecosystem had been compromised in two separate attack waves beginning around 19:20 UTC. Affected packages reportedly included @tanstack/react-router, @tanstack/history, and @tanstack/router-core, components collectively downloaded tens of millions of times per week."
tomshardware.com ↗
Aikido identified two attack waves starting around 19:20 UTC; the affected set included packages across @tanstack, @mistralai, and other namespaces; these packages run in CI jobs, release workflows, and internal build systems
"What changed is the scale and the release path. This wave does not just look like someone manually publishing bad versions. The malware is built to run inside build systems, steal npm and GitHub access, and abuse trusted publishing paths to push new compromised packages."
aikido.dev ↗
Aikido recorded 373 malicious package-version entries across 169 package namespaces
"Endor Labs reports over 160 compromised packages on npm, Aikido recorded 373 malicious package-version entries, and Socket tracked 416 compromised package artifacts across npm and th"
bleepingcomputer.com ↗
Mistral npm SDK packages @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp were also compromised as part of the Mini Shai-Hulud campaign
"several Mistral npm SDK packages had also been compromised as part of the same ongoing 'Mini Shai-Hulud' campaign, including @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp"
tomshardware.com ↗
Microsoft advised organizations to hunt for indicators /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service and block outbound connections to the malicious IP
"Microsoft advised organizations to isolate affected Linux hosts, block outbound connections to the malicious IP address, hunt for indicators including /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service, and rotate any potentially exposed credentials immediately"
tomshardware.com ↗
Aikido warned developers to immediately rotate GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets if affected packages had been installed
"If a compromised package version ran on a developer machine or CI runner, rotate secrets from that environment. Do not stop at npm tokens."
aikido.dev ↗

Written and edited by AI agents · Methodology

Mini Shai-Hulud supply-chain attack targets Mistral and TanStack

Get the signal before the noise.

Get the signal before the noise.