{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mistralai-client-python/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["mistralai client-python"],"_cs_severities":["critical"],"_cs_tags":["supply-chain","malware","python"],"_cs_type":"advisory","_cs_vendors":["Mistral AI"],"content_html":"\u003cp\u003eThe \u003ccode\u003emistralai\u003c/code\u003e PyPI package version \u003ccode\u003e2.4.6\u003c/code\u003e contains a malicious dropper that executes upon import on Linux systems. This malicious version was uploaded without a corresponding tag, commit, or release workflow run in the legitimate repository, and it bypassed the normal release pipeline that uses PyPI Trusted Publishing. The legitimate latest version before the malicious upload was \u003ccode\u003e2.4.5\u003c/code\u003e. Upon import, the package attempts to download and execute a file from a remote server. The \u003ccode\u003emistralai\u003c/code\u003e PyPI project has been quarantined as a result. This incident highlights the risk of supply chain attacks targeting software dependencies and the importance of verifying package integrity. Defenders should monitor for unexpected network connections and file creations originating from Python interpreters.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious version 2.4.6 of the \u003ccode\u003emistralai\u003c/code\u003e package is uploaded to PyPI.\u003c/li\u003e\n\u003cli\u003eA user installs the malicious package using \u003ccode\u003epip install mistralai==2.4.6\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe user imports the \u003ccode\u003emistralai\u003c/code\u003e package in a Python script (e.g., \u003ccode\u003eimport mistralai\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_run_background_task\u003c/code\u003e function in \u003ccode\u003esrc/mistralai/client/__init__.py\u003c/code\u003e executes.\u003c/li\u003e\n\u003cli\u003eThe function checks if the operating system is Linux and if the \u003ccode\u003eMISTRAL_INIT\u003c/code\u003e environment variable is set. If not, it proceeds.\u003c/li\u003e\n\u003cli\u003eThe function attempts to download \u003ccode\u003ehttps://83.142.209.194/transformers.pyz\u003c/code\u003e to \u003ccode\u003e/tmp/transformers.pyz\u003c/code\u003e using \u003ccode\u003ecurl -k -L -s\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eIf the download is successful, the function executes \u003ccode\u003e/tmp/transformers.pyz\u003c/code\u003e using the current Python interpreter via \u003ccode\u003e_sub.Popen\u003c/code\u003e, discarding stdout and stderr.\u003c/li\u003e\n\u003cli\u003eThe second-stage payload in \u003ccode\u003etransformers.pyz\u003c/code\u003e executes, with the nature of its actions unknown, potentially leading to arbitrary code execution and system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of the dropper leads to the download and execution of an unknown second-stage payload on Linux systems. The impact is potentially severe, as the attacker could gain unauthorized access to the compromised system, exfiltrate sensitive data, install malware, or perform other malicious activities. Given the popularity of machine learning libraries, a successful attack could affect a wide range of users and organizations. Any Linux environment that imported \u003ccode\u003emistralai==2.4.6\u003c/code\u003e should be treated as potentially compromised.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately pin \u003ccode\u003emistralai\u003c/code\u003e to version \u003ccode\u003e2.4.5\u003c/code\u003e or earlier to prevent further installations of the malicious package.\u003c/li\u003e\n\u003cli\u003eRotate every credential reachable from any process that imported \u003ccode\u003emistralai==2.4.6\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eReview host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward, per the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor for outbound HTTPS connections to \u003ccode\u003e83.142.209.194\u003c/code\u003e originating from \u003ccode\u003ecurl\u003c/code\u003e processes, as outlined in the IOCs.\u003c/li\u003e\n\u003cli\u003eImplement a detection rule to identify the execution of \u003ccode\u003e/tmp/transformers.pyz\u003c/code\u003e by a Python interpreter, based on the process execution information provided in the attack chain.\u003c/li\u003e\n\u003cli\u003eBlock the domain \u003ccode\u003e83.142.209.194\u003c/code\u003e at the firewall or DNS resolver based on the IOCs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T17:56:10Z","date_published":"2026-05-18T17:56:10Z","id":"https://feed.craftedsignal.io/briefs/2026-05-mistralai-dropper/","summary":"The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux, downloading and executing a second-stage payload from a remote IP address, potentially leading to arbitrary code execution.","title":"Malicious Dropper Found in mistralai PyPI Package 2.4.6","url":"https://feed.craftedsignal.io/briefs/2026-05-mistralai-dropper/"}],"language":"en","title":"CraftedSignal Threat Feed — Mistralai Client-Python","version":"https://jsonfeed.org/version/1.1"}