Malicious PyPI Package Impersonates Mistral AI, Injects Malware
Key Takeaways A malicious version of the popular mistralai PyPI package (version 2.4.6) was discovered, injecting malware into developer environments. The attack is a supply chain compromise, where...
Key Takeaways
- A malicious version of the popular
mistralaiPyPI package (version 2.4.6) was discovered, injecting malware into developer environments. - The attack is a supply chain compromise, where seemingly legitimate software delivers a multi-stage payload, including a credential stealer and a geo-targeted wiper.
- Systems in Israel and Iran faced a one-in-six chance of complete data destruction, while Russian-language systems were explicitly avoided.
- Microsoft Threat Intelligence identified the threat, urging immediate action for potentially affected Linux hosts.
Malicious PyPI Package Impersonates Mistral AI, Injects Malware
A significant supply chain attack has compromised the mistralai PyPI package, a widely used library for developing applications leveraging large language models. Attackers injected malicious code into version 2.4.6 of the package, posing a severe risk to developers and organizations globally that installed or updated it. This compromise was designed to operate stealthily, extracting sensitive credentials and, in specific geographical regions, initiating destructive data wiping.
Table Of Content
Stealthy Execution and Payload Delivery
The malicious code activates immediately upon a developer importing the compromised package, operating without any overt indicators of compromise. This initial injection facilitates a connection to a remote server, which then delivers a second-stage payload to the target system before the user can detect suspicious activity. This method epitomizes a supply chain attack, where trusted development tools become conduits for threat actors.
Microsoft Threat Intelligence analysts uncovered this compromise on May 12, 2026, providing a detailed analysis of the malicious behavior. Their investigation highlighted the attackers’ meticulous planning, which involved using familiar file names and infrastructure designed to blend seamlessly into typical developer environments, thereby evading detection.
The second-stage payload, downloaded from hxxps://83[.]142[.]209[.]194/transformers.pyz, was deliberately named transformers.pyz. This naming convention is a clear attempt to mimic the legitimate Hugging Face Transformers library, a cornerstone in the machine learning community. By leveraging this recognizable name, attackers significantly reduced the likelihood of the file being flagged as suspicious by developers or automated security systems.
Credential Theft and Persistence Mechanisms
Once deployed on a Linux machine, the downloaded payload serves as the primary vector for the attack. Its core function is to steal credentials, including usernames, passwords, API keys, and other sensitive login data present on the infected system. This harvested information is then exfiltrated to the attacker, potentially leading to broader breaches involving cloud accounts, internal networks, or confidential customer data.
The attackers directly modified the mistralai/client/__init__.py file within the package. This specific file is the first to execute when the library is imported, ensuring guaranteed code execution without requiring additional user interaction. The payload was saved to /tmp/transformers.pyz, a temporary directory on Linux systems often overlooked during standard security audits.
Adding to the sophistication, the malicious code also established persistence by installing a service named pgsql-monitor.service and an accompanying file, pgmonitor.py. These names are crafted to appear as routine database monitoring components, making them difficult to distinguish from legitimate system processes during manual inspection. This tactic demonstrates the attackers’ deep understanding of common development practices and their ability to “hide in plain sight.”
Geo-Targeted Destructive Capabilities
Beyond credential theft, the most alarming aspect of this attack is a geo-aware destructive module embedded within the package. This module performs a location check on the infected system. If the system’s apparent geographical location is detected in Israel or Iran, the malicious code initiates a command to permanently wipe the entire system. This destructive action had a one-in-six chance of execution with each trigger.
This destructive functionality indicates a highly targeted operation, suggesting geopolitical motivations rather than purely opportunistic financial gain. Furthermore, the code explicitly avoided systems with Russian language settings, reinforcing the notion of a specific target profile. This level of precision points to a sophisticated threat actor with clear objectives.
What You Should Do
Organizations and developers who may have been exposed to the compromised mistralai PyPI package (version 2.4.6) should take immediate action:
- Isolate Affected Hosts: Immediately isolate any Linux hosts suspected of being compromised to prevent further spread or data exfiltration.
- Rotate Credentials: Prioritize the rotation of all credentials (passwords, API keys, SSH keys, etc.) that were accessible from potentially compromised systems.
- Scan for IoCs: Actively scan systems for the following Indicators of Compromise (IoCs):
- IP Address:
83[.]142[.]209[.]194(Remote C2 server) - URL:
hxxps://83[.]142[.]209[.]194/transformers.pyz(Malicious payload download) - File Path:
/tmp/transformers.pyz(Second-stage payload location) - File Name:
pgmonitor[.]py(Persistence file) - Service Name:
pgsql-monitor.service(Persistence service) - File Path:
mistralai/client/__init__.py(Compromised package file)
- IP Address:
- Block Malicious IP: Implement network-level blocks for the attacker’s remote IP address (
83[.]142[.]209[.]194) to prevent further communication. - Review Supply Chain Security: Re-evaluate and strengthen software supply chain security practices, including rigorous vetting of third-party libraries and packages.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.