Malware planted in Mistral AI Python package via PyPI supply-chain attack

TL;DR:

• Microsoft Threat Intelligence reported on Monday that attackers inserted malicious code into a Mistral AI software package distributed via PyPI, the Python developer package repository. The code activated automatically when developers used the software on Linux systems.
• The malware downloaded a second file, transformers.pyz — deliberately named to mimic the widely used Hugging Face Transformers library — and operated primarily as a credential stealer collecting developer logins and access tokens.
• Mistral has said it has no evidence its own infrastructure was compromised; the company attributes the incident to a “supply-chain attack tied to the broader TanStack security incident” via a compromised developer device.

The malware avoided Russian-language systems and included code that could randomly delete files on some systems appearing to be located in Israel or Iran. Reports link the latest attack to the broader “Shai-Hulud” worm campaign, which began in September and targets developer-software supply chains by infecting trusted packages and stealing credentials.

Why this matters beyond Mistral

This is the second major AI-supply-chain attack to surface inside a month, and the third to use the same Shai-Hulud campaign infrastructure. Cybersecurity firm VX Underground noted on X that “Shai-Hulud, that spoopy Git worm thingy everyone’s been yapping about, has been open-sourced” — meaning the weaponised worm code is now publicly available for any threat actor to repurpose. The combination of (a) public worm code, (b) trusted-package distribution channels, and (c) AI developer environments full of credentials creates a fast-moving threat surface.

The npm parallel makes this worse

The Decrypt piece reminds readers that affected npm packages tied to earlier crypto-adjacent attacks have been downloaded over 1 billion times collectively. The same supply-chain weakness exists in the AI tooling ecosystem: developers routinely install hundreds of packages from PyPI and npm without verifying provenance, and AI workloads typically use credentials with broad access to cloud accounts and model APIs. A single compromised package on a developer laptop can leak Anthropic, OpenAI, AWS Bedrock and Azure OpenAI keys in one hit.

UK context

For UK SMEs building AI products — particularly those deploying open-weight models from Mistral, Hugging Face or similar — this is a sharp prompt to audit the dependency graph. Microsoft’s advice is direct: isolate affected Linux systems, block the malicious IP, search for infection signs, and replace potentially exposed credentials. UK firms running CI/CD pipelines that pull from PyPI without provenance checks should add SLSA-style attestation or hashes-pinning as a near-term hardening step. The National Cyber Security Centre has not yet commented on this specific incident but published guidance on AI tooling vulnerabilities last week.

Looking forward

Expect more of these attacks before the ecosystem hardens. The combination of a publicly available worm, plentiful credentials in AI developer environments, and a global push for AI adoption that prioritises speed over supply-chain hygiene is a recipe for repeated incidents. UK boards should treat AI development environments as Tier 1 IT infrastructure for security purposes, with the same scrutiny applied to production systems — not as developer-experiment territory.