Malicious Dropper Found in mistralai PyPI Package 2.4.6

The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes upon import on Linux systems. This malicious version was uploaded without a corresponding tag, commit, or release workflow run in the legitimate repository, and it bypassed the normal release pipeline that uses PyPI Trusted Publishing. The legitimate latest version before the malicious upload was 2.4.5. Upon import, the package attempts to download and execute a file from a remote server. The mistralai PyPI project has been quarantined as a result. This incident highlights the risk of supply chain attacks targeting software dependencies and the importance of verifying package integrity. Defenders should monitor for unexpected network connections and file creations originating from Python interpreters.

Attack Chain

1. A malicious version 2.4.6 of the mistralai package is uploaded to PyPI.
2. A user installs the malicious package using pip install mistralai==2.4.6.
3. The user imports the mistralai package in a Python script (e.g., import mistralai).
4. The _run_background_task function in src/mistralai/client/__init__.py executes.
5. The function checks if the operating system is Linux and if the MISTRAL_INIT environment variable is set. If not, it proceeds.
6. The function attempts to download https://83.142.209.194/transformers.pyz to /tmp/transformers.pyz using curl -k -L -s.
7. If the download is successful, the function executes /tmp/transformers.pyz using the current Python interpreter via _sub.Popen, discarding stdout and stderr.
8. The second-stage payload in transformers.pyz executes, with the nature of its actions unknown, potentially leading to arbitrary code execution and system compromise.

Impact

Successful execution of the dropper leads to the download and execution of an unknown second-stage payload on Linux systems. The impact is potentially severe, as the attacker could gain unauthorized access to the compromised system, exfiltrate sensitive data, install malware, or perform other malicious activities. Given the popularity of machine learning libraries, a successful attack could affect a wide range of users and organizations. Any Linux environment that imported mistralai==2.4.6 should be treated as potentially compromised.

Recommendation

• Immediately pin mistralai to version 2.4.5 or earlier to prevent further installations of the malicious package.
• Rotate every credential reachable from any process that imported mistralai==2.4.6 as described in the advisory.
• Review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward, per the advisory.
• Monitor for outbound HTTPS connections to 83.142.209.194 originating from curl processes, as outlined in the IOCs.
• Implement a detection rule to identify the execution of /tmp/transformers.pyz by a Python interpreter, based on the process execution information provided in the attack chain.
• Block the domain 83.142.209.194 at the firewall or DNS resolver based on the IOCs.