LONDON/WASHINGTON (Life News Agency) – May 13, 2026 – A sophisticated software supply chain attack has compromised the official Mistral AI Python package on PyPI, delivering malware that steals sensitive credentials from thousands of developer systems globally while embedding geofenced destructive logic targeting computers in Israel and Iran.
The malicious version mistralai 2.4.6 was uploaded to PyPI on or around May 12, 2026. It contained backdoor code in src/mistralai/client/__init__.py that automatically executes upon import on Linux systems. The code silently downloads a second-stage payload (transformers.pyz) from the IP address 83.142.209.194 and runs it in the background. PyPI has since quarantined the entire mistralai project, and Mistral AI has confirmed the compromise via its GitHub repository.
Security researchers, including Microsoft Threat Intelligence, have linked the incident to the ongoing “Mini Shai-Hulud” campaign — a large-scale supply chain operation that has poisoned over 170 npm packages and multiple PyPI libraries, including TanStack Router components, UiPath automation tools, OpenSearch, and Guardrails AI. Attackers reportedly hijacked GitHub CI/CD pipelines to inject malicious code into legitimate packages.
The malware functions primarily as a credential stealer, harvesting:
- GitHub tokens and CI/CD secrets
- Cloud provider API keys (AWS, GCP, Azure)
- Cryptocurrency wallets
- Password manager data (including 1Password and Bitwarden)
It spreads further by poisoning caches and publishing additional compromised packages.
A striking feature of the payload, according to Microsoft’s analysis, is its built-in evasion and targeting logic:
- The malware refuses to run on systems using the Russian language.
- On systems geolocated in Israel or Iran, it includes an additional destructive branch: a 1-in-6 (approximately 16.7%) chance of executing a full device wipe via rm -rf /, along with reportedly playing an audio file at maximum volume before deletion.
No official attribution has been released by Microsoft or other cybersecurity firms. The threat actor behind the broader campaign is tracked as TeamPCP, a financially motivated cybercrime group previously involved in credential theft and monetization operations. Some social media accounts, including @BRICSinfo, have described the operation as the work of “Russian hackers,” citing the malware’s avoidance of Russian-language systems and its targeting of Israel and Iran.
PyPI, GitHub, and affected maintainers have urged developers to:
- Immediately rotate all credentials and secrets from any machine that installed the malicious package
- Check for the presence of /tmp/transformers.pyz
- Verify environment variables such as MISTRAL_INIT
- Use version pinning and lockfiles in future installations
- Avoid running pip install mistralai==2.4.6 or unverified upgrades on production systems
This incident underscores the growing risk to the open-source ecosystem, particularly AI developer tools that are increasingly targeted in supply chain attacks. The campaign’s ability to cross from npm to PyPI and embed geofenced wiper functionality marks a notable escalation in both scale and sophistication.
Life News Agency will continue monitoring developments as Microsoft Threat Intelligence and independent researchers publish further technical details.
About The Author
