Malware Injected into Mistral AI PyPI Package Steals Credentials
Attackers added malicious code to a Mistral AI package on PyPI that auto-ran on Linux, fetched a transformers.pyz credential stealer and could delete files in Israel or Iran.
On Monday Microsoft Threat Intelligence reported attackers inserted malicious code into a Mistral AI package distributed through PyPI. When the package ran on Linux systems, it downloaded a second file named transformers.pyz and launched it in the background.
The transformers.pyz filename appears designed to mimic the Hugging Face Transformers library and blend into machine-learning and developer environments. The payload primarily collected developer credentials and access tokens, included checks to avoid systems set to the Russian language and contained logic that could randomly delete files on hosts that appeared to be located in Israel or Iran.
Researchers linked the incident to a supply-chain campaign that began in September and distributes malicious versions of trusted packages. The activity has been tracked under the label “Shai-Hulud.” Cybersecurity firm VX Underground posted that a fully weaponized version of the worm tied to the campaign has been released publicly.
Mistral posted on its website that it was affected by a supply-chain attack related to the broader TanStack security incident. The company reported an automated worm led to compromised package versions on both NPM and PyPI. “Current investigation indicates that an affected developer device was involved,” Mistral wrote. “We have no indication that Mistral infrastructure was compromised.”
Microsoft advised organizations to isolate affected Linux machines, block the internet address used by the malware, search systems for signs of compromise and replace credentials and tokens that may have been exposed. The advisory cautioned defenders to assume stolen keys and session tokens could grant access to code repositories, cloud accounts and other developer resources.
The incident follows earlier attacks that poisoned packages on public registries. In September researchers reported some compromised NPM packages had been downloaded more than 1 billion times and could be used to redirect cryptocurrency transactions or drain wallets. Previous campaigns have disguised malicious code as crypto trading bots, blockchain tools and development utilities to spread malware.
The disclosures from Microsoft and Mistral leave open questions about the full scope of affected packages and which developer devices were compromised. Organizations that rely on Python and JavaScript packages are being asked to audit recent installs, rotate exposed credentials and review access logs for suspicious activity.
The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.
Articles by this author
