A Hidden Virus in Mistral AI: Microsoft Sounds the Alarm

The official Mistral AI SDK has been infected by a silent malware. Microsoft Threat Intelligence raised the alert on May 12, 2026: hackers injected malicious code directly into a PyPI package downloaded by thousands of AI developers. And this is only the tip of the iceberg!

An unprecedented scale AI attack

On May 11, 2026, a coordinated supply chain attack compromised over 170 npm packages and 2 PyPI packages. The total amounts to 404 malicious versions. This massive operation simultaneously targets some of the most used projects in the open source AI ecosystem.

The responsible hacker group, TeamPCP, managed to hijack the legitimate publishing pipelines of AI projects by exploiting misconfigurations of maintainers and GitHub Actions vulnerabilities. Result: infected packages bearing valid signatures, indistinguishable from legitimate versions. But this is not the most worrying.

According to Microsoft, the compromised version of the mistralai package 2.4.6 contained malicious code inserted in the mistralai/client/__init__.py file. It silently downloaded a file from a remote IP address to /tmp/transformers.pyz and executed it in the background as soon as the package was imported on a Linux system.

The name of the malicious file, transformers.pyz, seems deliberately chosen to imitate the Hugging Face Transformers framework. The latter is widely used in AI environments. PyPI has since quarantined the Mistral AI project.

Which data are at risk? What to do if you are affected?

The hackers’ goal is clear: steal AI developer credentials (GitHub and npm tokens, cloud keys, API keys, Kubernetes service accounts, and SSH keys). Once the infection is installed, the malware embeds itself in Claude Code hooks as well as VS Code auto-execution tasks. Uninstalling the compromised package is not enough to remove it.

For the first time, the malware also targets password managers like 1Password and Bitwarden. Aikido Security thus advises AI developers to immediately rotate their GitHub tokens, npm credentials, cloud API keys, and CI/CD secrets if compromised packages have been installed.

Other recommended actions:

• check the lockfile for versions known to be compromised;
• pin dependencies to known safe versions
• look for signs of infection

A threat that extends far beyond Mistral AI

Rather than targeting a single product, the attackers compromised entire groups of related packages. This significantly increases the scale and potential impact of the campaign. It simultaneously affected npm and PyPI ecosystems. Hence the wide-ranging risks.

The self-propagation mechanism remains largely unchanged from previous waves. It uses stolen GitHub/npm credentials, identifies packages related to the compromised maintainer, injects the malicious payload into the archives, and republishes infected versions.

The Mini Shai-Hulud attack may only be beginning. And the next target could be in your own development environment.

In any case, this vulnerability is a harsh reminder: artificial intelligence is software like any other, vulnerable to classical hacking methods. For Mistral AI, the challenge will be to prove the resilience of its ecosystem as the AI race intensifies. One thing is certain: security will no longer be an option, but the main driver of future model development.