Mistral AI Supply Chain Attack Hits 170 Packages, Threatens Crypto Developer Wallets
On May 11, 2026, attackers pushed more than 170 poisoned npm and PyPI packages with valid SLSA Build Level 3 provenance. Not broken-looking packages. Trusted-looking ones. The targets were developer credentials, crypto wallets, and exchange API keys. Microsoft Threat Intelligence calls this the first documented case where malicious packages shipped with valid SLSA Build Level 3 attestations, the same cryptographic trust signal the Web3 and AI build pipeline leans on. My take: for crypto teams, this is not a dependency hygiene story. It is a wallet-risk story. The stealer hunts 1Password and Bitwarden vaults, AWS and GCP keys, GitHub tokens, exchange API credentials. Exactly the loot that turned the January 2026 Trust Wallet incident into $8.5 million in user losses.
Microsoft Threat Intelligence flagged mistralai PyPI version 2.4.6 after finding malicious code in mistralai/client/__init__.py that fires on import. Per Microsoft’s May 12 advisory, the payload pulls a second stage from 83.142.209.194 to /tmp/transformers.pyz on Linux. That filename matters. It impersonates Hugging Face’s Transformers framework, so a sysadmin scanning /tmp sees something boring and moves on. SafeDep counted more than 170 compromised packages and 404 malicious versions pushed between May 11 and 12. CVE-2026-45321 carries a CVSS score of 9.6. Cumulative weekly downloads across the affected packages add up to over 518 million; @tanstack/react-router alone pulls 12.7 million a week. Is that download number the same as active compromise? No. But it tells you how wide the blast door was left open.
Microsoft is investigating mistralai PyPI package v2.4.6 compromise. Attackers injected code in mistralai/client/__init__.py that executes on import, downloads hxxps://83[.]142[.]209[.]194/transformers.pyz to /tmp/transformers.pyz, and launches a second-stage payload on Linux. — Microsoft Threat Intelligence (@MsftSecIntel) May 12, 2026
Mistral’s May 12 advisory says the core infrastructure was clean. The breach traces back to a compromised developer device tied to the broader TanStack campaign that researchers are now calling Mini Shai-Hulud. The mistralai==2.4.6 release went live shortly after midnight UTC before PyPI quarantined it. The compromised npm packages, @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp, sat in the registry for several hours. I’ll be blunt: “core infrastructure was clean” is useful, but it does not make downstream builds clean.
Why the SLSA bypass changes the threat model
SLSA (Supply-chain Levels for Software Artifacts) provenance is a Sigstore-signed certificate that’s supposed to prove a package came from a trusted source. This attack is the first documented case where valid attestations shipped with malicious code. Most guides say provenance answers the trust question. That’s only half right. It answers where the artifact came from; it does not prove the build path was sane. According to Snyk, the TanStack attack is the first documented case of malicious npm packages shipping with valid SLSA attestations. The attribution group, TeamPCP, chained three weaknesses:
- A pull_request_target workflow misconfiguration
- GitHub Actions cache poisoning
- Runtime memory extraction of an OIDC token from the GitHub Actions runner process
The malicious commit was authored under a fabricated identity impersonating the Anthropic Claude GitHub App, prefixed with [skip ci] to suppress automated checks. Cute touch. Honestly, it’s the kind of detail that tells you the operator has done this before.
Translation for crypto teams: every wallet SDK, bridge frontend, and DeFi dashboard that trusts npm audit signatures or relies on attestation-gated CI just lost a layer of defense. The signature was valid. The package was poisoned anyway. Why does this matter? Because automated trust checks are now part of the attack surface, not just the defense stack.
What gets stolen, and why exchange API keys are the prize
The malware is built to steal credentials across developer environments. Exchange API keys are the highest-value asset in that haul because a leaked withdrawal-enabled key drains a hot account in minutes, not hours. According to Wiz researchers, the new payload’s full target list includes:
- 1Password vaults
- Bitwarden vaults
- SSH keys
- AWS and GCP credentials
- Kubernetes service accounts
- GitHub tokens
- npm publishing credentials
That last category is the worm’s fuel. Stolen npm tokens get used to publish the next wave under legitimate maintainer identities. Exchange API keys live inside the same password vaults the malware now reads. Once a withdrawal-enabled key leaks, the window is measured in minutes.
Exfiltration runs through three redundant channels: a typosquat domain at git-tanstack.com, the decentralized Session messenger network, and Dune-themed GitHub repositories spun up with stolen tokens. The malware exits cleanly when it detects Russian language settings. On machines geolocated to Israel or Iran, it rolls a 1-in-6 dice for recursive wipe, rm -rf /. Counter to the usual advice, I would not treat that geofence as noise. My read on that pattern: this is targeting choice, not opportunism, and it raises the bar for who’s behind TeamPCP.
The crypto angle: a developer-side drainer, not a smart-contract one
This campaign is a developer-side credential drainer. It steals secrets from build machines instead of exploiting smart contracts or phishing end users, which sidesteps the two defenses crypto security currently leans on most. Crypto’s risk model still over-indexes on contract audits and frontend phishing. Per security researchers tracking the lineage, the Shai-Hulud family has been evolving across waves since September 2025, and the January 2026 Trust Wallet incident, $8.5 million siphoned through developer-side credential theft, is the proof case. If a protocol team pulled @mistralai/mistralai for an LLM-driven analytics layer, or @tanstack/react-router for a DEX frontend, the practical assumption is ugly: every secret on the build machine is hostile.
Expect the cleanup tax to land on COIN, the listed exchange operators with the deepest npm dependencies in customer dashboards, and on any wallet vendor whose mobile build pipeline touched the affected versions in the May 11 to 12 window. ETH-native protocols carry the heaviest exposure here, given how much TypeScript and Node tooling sits across the L2 stack. Yes, this sounds broader than a “Mistral package” issue. It is.
What this means
The structural takeaway is that attestation-based supply chain defense is demonstrably insufficient against a determined actor with GitHub Actions access. The signal is structural, not tactical. Attestation-based supply chain defense, the model that powers npm provenance badges, the Sigstore ecosystem, and most of the SBOM tooling enterprises bought in 2024 and 2025, has been bypassed in production. Wallet teams, DEX frontends, and exchange backends that ran npm install or pip install on May 11 or 12 without lockfile pinning are presumed compromised until rotation proves otherwise.
Watch these signals this week. Not ten. Three.
- Exchange withdrawal anomalies. Whether any centralized exchange reports anomalous API-key withdrawal patterns dated after May 11. That’s the lagging signal that this campaign monetized.
- GitHub’s hardening response. GitHub’s response on pull_request_target hardening and OIDC token lifetime, which determines whether the same chain works in June.
- Persistence hook cleanup. Inspect .claude/ and .vscode/ directories on every dev machine that touched the affected packages. That’s where the persistence hooks live, per the advisory.
Rotate cloud credentials, GitHub tokens, SSH keys, and exchange API keys before you push anything else. Skip this step, and the rest is theater.
Frequently Asked Questions
What is the Mistral AI supply chain attack?
It is a May 11, 2026 compromise in which malicious code was published to the official mistralai PyPI package (version 2.4.6) and three @mistralai npm packages. According to Microsoft Threat Intelligence, the payload executes on import and downloads a second-stage stealer from 83.142.209.194.
How many packages were affected?
SafeDep documented more than 170 compromised packages and 404 malicious versions pushed between May 11 and 12, 2026. Cumulative weekly downloads across the affected packages exceed 518 million.
What is CVE-2026-45321?
CVE-2026-45321 is the identifier assigned to the Mistral AI and TanStack supply chain compromise. It carries a CVSS score of 9.6 (Critical).
Why is the SLSA bypass significant?
According to Snyk, this is the first documented case of malicious npm packages shipping with valid SLSA Build Level 3 provenance. It shows that attestation-based supply chain defense can be bypassed by attackers with GitHub Actions access. The uncomfortable bit: the trust signal worked as designed, and still failed the user.
What credentials does the malware steal?
According to Wiz researchers, the stealer targets 1Password and Bitwarden vaults, SSH keys, AWS and GCP credentials, Kubernetes service accounts, GitHub tokens, and npm publishing credentials. Exchange API keys inside those vaults are the highest-value target for crypto teams.
Who is behind the attack?
The campaign is attributed to a group calling itself TeamPCP. Researchers have linked it to the broader Shai-Hulud lineage active since September 2025, with this wave nicknamed Mini Shai-Hulud.
What should developers do right now?
Rotate all cloud credentials, GitHub tokens, SSH keys, and exchange API keys touched by build machines between May 11 and May 12, 2026. Inspect .claude/ and .vscode/ directories for persistence hooks and pin lockfiles before reinstalling dependencies. Is that overkill for a small repo? No, not if that repo ever held production secrets.
How does the attack impact crypto users?
It is a developer-side drainer that targets build environments rather than smart contracts or end-user phishing. The January 2026 Trust Wallet incident, $8.5 million in user losses from the same lineage, is the documented proof case for downstream financial impact.