Mistral AI's NPM Package Compromised in Shai Hulud Supply Chain Attack
Key Takeaways
- ▸Mistral AI's @mistralai/mistralai npm package (v2.2.4) was compromised by the Shai Hulud worm supply chain attack
- ▸The attack is self-spreading and specifically targets the npm ecosystem, affecting multiple packages
- ▸Developers who installed the compromised version face potential execution of malicious code in their environments
Summary
Mistral AI's official TypeScript SDK package (@mistralai/mistralai) on NPM has been compromised as part of the "Shai Hulud worm," a self-spreading supply chain attack targeting the npm ecosystem. Version 2.2.4 of the package was confirmed to be affected, exposing developers who installed the compromised version to malicious code injection through the npm package manager.
The Shai Hulud worm is a sophisticated supply chain attack that spreads automatically by injecting malicious code into popular npm packages. Developers using the affected version of Mistral AI's client library would have had unauthorized code executed in their environments during installation or runtime. This is particularly concerning given the widespread use of such SDKs across development organizations building AI applications.
- This incident highlights the vulnerability of open source dependency chains and the importance of package verification
