Microsoft Warns: MistralAI PyPI Package Injects Compromised Malicious
A popular AI development library has been weaponized. The mistralai PyPI package, specifically version 2.4.6, was found to contain malicious code secretly injected by attackers. This compromise poses...
A popular AI development library has been weaponized. The mistralai PyPI package, specifically version 2.4.6, was found to contain malicious code secretly injected by attackers. This compromise poses a serious risk to developers and organizations globally, affecting anyone who installed or updated the package. The mistralai library is widely utilized for building applications powered by large language models
The attack works silently and efficiently. The moment a developer imports the package, the injected code springs into action without any visible sign.
It reaches out to a remote server and pulls down a second-stage payload onto the target system, all before the user has any real idea something is wrong. This type of attack is known as a supply chain attack, where the threat hides inside a trusted tool that developers rely on every single day.
Analysts at Microsoft Threat Intelligence flagged the compromise on May 12, 2026, sharing detailed findings about the malicious behavior observed inside the package. Their analysis revealed how carefully the attackers crafted this entire operation, using familiar file names and trusted-looking infrastructure to stay hidden deep inside developer environments.
The payload download is disguised as a file named transformers.pyz, a name clearly chosen to mimic the well-known Hugging Face Transformers library, one of the most popular tools in the machine learning world.
mistralai PyPI Package Compromised
By borrowing this recognizable name, the attackers made it far harder for developers or automated systems to flag the file as suspicious. Once dropped onto a Linux machine, it acts as a launchpad for the real attack.
At its core, the main payload is built to steal credentials. Usernames, passwords, API keys, and other sensitive login data stored on the infected system are all at risk of being quietly harvested and sent back to the attacker.
Credential theft can open the door to far larger breaches, giving attackers access to cloud accounts, internal systems, or sensitive customer data.
The attackers tampered directly with the mistralai/client/__init__.py file inside the package, which is the very first file that runs when a developer imports the library. This gave them a guaranteed execution point without requiring any extra steps from the victim. The payload was pulled from a remote IP address and saved to /tmp/transformers.pyz, a temporary directory on Linux systems that is often overlooked during routine security checks.
What made the attack especially dangerous is that the malicious code also installed a persistent service called pgsql-monitor.service, alongside a file named pgmonitor.py, both designed to blend into a database monitoring context. These names are familiar to many developers, making them easy to miss during a manual review. The attackers clearly understood how real development environments look and used that knowledge to hide in plain sight.
Geo-Targeted Destruction Hidden Inside
Perhaps the most alarming part of this attack is what lies beneath the credential stealer. The package contained a geo-aware destructive branch, meaning the code checks the apparent location of the infected system before deciding what to do next.
If the system appeared to be located in Israel or Iran, the malicious code would trigger a command to permanently wipe the entire system, with a one-in-six chance of execution each time.
This destructive branch operates like a loaded weapon quietly left behind in a development environment, waiting for the right conditions. The code also deliberately avoided Russian-language systems, suggesting the attackers had a very clear target profile in mind. This level of intentional targeting points to a sophisticated threat actor driven by specific geopolitical goals rather than opportunistic motives.
Security teams are urged to take immediate action if they suspect any exposure. Affected Linux hosts should be isolated right away to prevent further damage or data loss.
Credentials that may have been accessible on compromised systems must be rotated as a priority, and teams should actively search for the known malicious files while blocking the attacker’s remote IP address at the network level.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 83[.]142[.]209[.]194 | Remote C2 server used to deliver the second-stage payload |
| URL | hxxps://83[.]142[.]209[.]194/transformers.pyz | Download URL for the malicious second-stage payload |
| File Path | /tmp/transformers.pyz | Location where the second-stage payload is dropped on Linux |
| File Name | pgmonitor[.]py | Malicious file installed to establish persistence |
| Service Name | pgsql-monitor.service | Malicious systemd service installed for persistence |
| File Path | mistralai/client/__init__.py | Compromised package file containing the injected malicious code |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.