Major Supply Chain Attack Compromises Mistral AI SDK and 170+ Open Source Packages
Key Takeaways
- ▸Over 170 npm packages and 2 PyPI packages compromised in a single coordinated attack spanning multiple organizations (@tanstack, @uipath, @squawk, @tallyui)
- ▸Mistral AI's official SDK (mistralai on PyPI and @mistralai/mistralai on npm) was directly compromised, demonstrating vulnerability of even trusted sources
- ▸Attack used sophisticated credential harvesting, file dropping, and code execution with C2 infrastructure at filev2.getsession.org and git-tanstack.com
Summary
A massive coordinated supply chain attack on May 11, 2026 compromised over 170 npm packages and 2 PyPI packages, marking one of the largest registry poisoning events of 2026. The attack specifically targeted Mistral AI's official SDK suite on both npm (@mistralai/mistralai) and PyPI (mistralai), alongside packages from TanStack, UiPath, OpenSearch, and Guardrails AI. The attacker published malicious versions across entire organizational scopes, demonstrating sophisticated coordination and scale rarely seen in single campaigns.
The compromised packages included widely-used libraries like @tanstack/react-router (3M+ weekly downloads), @opensearch-project/opensearch, and UiPath's RPA automation tools. The attack used different payload delivery mechanisms for npm and PyPI: npm packages dropped configuration files and attempted to steal credentials, while PyPI packages included a Python dropper that downloads and executes code from attacker-controlled infrastructure at hxxps://git-tanstack[.]com/transformers.pyz. PyPI has quarantined the entire mistralai and guardrails-ai projects.
The incident underscores critical vulnerabilities in the open source supply chain, where even official SDKs from major companies can be compromised through credential theft or account takeover. Developers are advised to implement strict dependency management policies, use package verification tools, and apply sandboxing to limit the impact of potentially compromised packages.
- Different payload mechanisms for npm vs PyPI: npm targeted configuration files and tokens, PyPI used Python dropper for remote execution
- PyPI quarantined affected projects; security community tracking as 'mini-shai-hulud'—the first coordinated attack spanning both npm and PyPI ecosystems
Editorial Opinion
This landmark supply chain attack demonstrates that even official SDKs from trusted AI companies like Mistral AI are vulnerable to compromise. The scale and sophistication—spanning 170+ packages and coordinating attacks across npm and PyPI—suggests a shift in attacker tactics toward ecosystem-wide disruption rather than targeting high-value individual packages. The security community must accelerate adoption of package verification tools, sandboxing, and stricter access controls for high-impact packages. Without these measures, the open source foundation of modern AI development remains dangerously exposed.
