TP-2026-0054 critical AI Draft C

Mistral AI Python SDK PyPI Package v2.4.6 Backdoor

Date May 12, 2026
Attack Type Software supply-chain compromise / malicious PyPI package publication Sector Open-source software / AI developer tooling
Geography Global
Threat Actor Unknown
Attribution A4
Confidence C

Summary

On May 12, 2026, Mistral AI published security advisory MAI-2026-002 disclosing that version 2.4.6 of the mistralai Python SDK on PyPI had been compromised during a software supply-chain attack. Mistral said the affected PyPI release was uploaded at approximately 00:05 UTC on May 12, 2026, and that the PyPI project was quarantined. A GitHub security advisory for the mistralai Python client states that no v2.4.6 tag, commit, or release workflow run exists in the repository and that the upload bypassed the normal PyPI Trusted Publishing release pipeline.

NHS England Digital separately listed mistralai==2.4.6 as an affected PyPI package in a supply-chain alert. The public Mistral and GitHub advisories remain the primary sources for package behavior and remediation, and they do not identify a confirmed actor or confirmed victim count for the mistralai==2.4.6 PyPI release.

Technical Analysis

The Mistral advisory says the malicious PyPI package ran a script at import time on Linux systems and spawned a background process to harvest credentials from common locations. The related GitHub security advisory describes a function named _run_background_task added to src/mistralai/client/__init__.py and called at module-load time. According to that advisory, the function:

  1. Returned immediately on non-Linux systems or when the MISTRAL_INIT environment variable was already set.
  2. Set MISTRAL_INIT=1 before launching the child process.
  3. Downloaded https://83.142.209.194/transformers.pyz to /tmp/transformers.pyz if the file was not already present.
  4. Spawned the downloaded file with the current Python interpreter as a detached process.

The GitHub advisory narrows one important execution condition: a bare import mistralai alone did not trigger the loader because the package is laid out as a PEP 420 namespace package, while documented SDK usage through mistralai.client.* would trigger the path. The advisory also states that pip install, pip download, and pip wheel do not invoke the dropper by themselves.

The available public record for this event scopes the incident to the Mistral PyPI release and does not attribute the activity to a named actor.

Attack Chain

  1. Staging — Mistral AI said current investigation indicated that an affected developer device was involved and that it had no indication Mistral infrastructure was compromised.
  2. Publication — Malicious release mistralai==2.4.6 was uploaded to PyPI at approximately 00:05 UTC on May 12, 2026.
  3. Distribution — The compromised package was available through PyPI until the project was quarantined.
  4. Execution — On Linux hosts, SDK usage that imported through mistralai.client.* triggered malicious code in __init__.py.
  5. Payload delivery — The code fetched transformers.pyz from 83.142.209.194 and launched it as a detached Python process.
  6. Response — Mistral advised affected users to clean impacted systems and rotate secrets accessible from those systems.

Timeline

  • 2026-05-12 00:05 UTC — Mistral AI says the compromised mistralai==2.4.6 package was uploaded to PyPI.
  • 2026-05-12 — Mistral AI published MAI-2026-002, and the associated GitHub security advisory documented the malicious dropper behavior.
  • 2026-05-12 — NHS England Digital listed mistralai==2.4.6 as an affected PyPI package in a supply-chain alert.

Impact Assessment

Linux environments that imported code through mistralai.client.* from mistralai==2.4.6 during the exposure window should be treated as potentially compromised. The GitHub advisory recommends rotating every credential reachable from the importing process and reviewing host and cloud audit logs from approximately 2026-05-12 00:05 UTC onward.

Mistral AI states that current investigation indicated an affected developer device was involved and that there was no indication Mistral infrastructure was compromised. The advisory was described as under active investigation at time of publication.

For this specific PyPI event, the public advisories support treating affected Linux hosts as potentially compromised, but they do not provide a confirmed victim count or confirmed actor identity.

Attribution

The attacker is unknown. Mistral AI’s advisory does not attribute the PyPI compromise to a named group or state actor, and the GitHub advisory does not name a responsible actor for mistralai==2.4.6.

Remediation & Mitigation

Mistral AI and the GitHub security advisory recommend treating affected Linux systems conservatively. Operators should:

  • Identify lockfiles, build artifacts, package caches, container images, and deployed environments that contain mistralai==2.4.6.
  • Treat Linux environments that imported the affected package as potentially compromised pending forensic review.
  • Rotate credentials reachable from the importing process and review host and cloud audit logs.
  • Check for /tmp/transformers.pyz, MISTRAL_INIT=1, or a detached Python process running /tmp/transformers.pyz.
  • Block or monitor outbound connections to 83.142.209.194.
  • Pin mistralai to 2.4.5 or earlier until a verified clean release path is available.

Sources & References

supply-chainpypipythonmistral-aimalicious-packagedeveloper-tools