AI Threat Alert

GHSA-jgg6-4rpr-wfh7: Mistral npm SDK: supply chain attack, no impact

GHSA-jgg6-4rpr-wfh7 LOW
Published May 18, 2026
CISO Take

Three Mistral TypeScript SDK npm packages were backdoored via an automated worm linked to the broader TanStack supply chain incident, with compromised versions live on npm for approximately 3 hours on May 11-12, 2026. The attack targeted developer device credentials to publish trojanized patch releases across all three packages (@mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp), which together have 716 downstream dependents. Actual impact was zero: the dropper fatally misreferenced its payload file (router_init.js vs tanstack_runner.js), causing execFileSync to throw ENOENT before any code ran. The narrow exposure window and broken dropper drastically reduce urgency, but teams should still audit lockfiles, CI build artifacts, container images, and package caches for any of the nine affected versions, rotate secrets in scope if found, and update to clean releases — the attack pattern itself signals an ongoing automated campaign targeting AI SDK maintainers.

Sources: GitHub Advisory ATLAS

What is the risk?

Actual exploitability is effectively zero due to the broken dropper — no payload executed in any confirmed environment. The CVSS score is rated low and the advisory is not in CISA KEV. However, the supply chain attack vector is inherently high-severity as a class: a working variant of this attack would have code executing in the npm install context with access to environment variables including API keys and cloud credentials. The 3-hour exposure window (May 11 22:45 UTC – May 12 01:53 UTC) significantly limits the number of affected installs. Organizations with automated dependency updates, Dependabot, or CI pipelines that ran npm install during the window face residual risk from tainted build artifacts or caches.

Attack Kill Chain

Credential Compromise
Automated worm compromises a Mistral maintainer's developer device or npm publishing token, obtaining valid credentials to publish to the official package scopes.
AML.T0012
Malicious Package Publish
Worm publishes nine backdoored versions across three Mistral npm packages, embedding a dropper script in the postinstall hook (setup.mjs) with CWE-506 malicious code.
AML.T0010.001
Victim Installation
CI/CD pipelines, automated dependency bots, or developers running npm install during the 3-hour window pull the compromised versions into build environments.
AML.T0011.001
Failed Payload Execution
Dropper downloads Bun and attempts to execute tanstack_runner.js, but the embedded payload is named router_init.js; execFileSync throws ENOENT, tmpdir is wiped, and no code runs.
AML.T0050

What systems are affected?

Package Ecosystem Vulnerable Range Patched
@mistralai/mistralai npm = 2.2.2 No patch
738 716 dependents Pushed 4d ago 0% patched Full package profile →
@mistralai/mistralai-azure npm = 1.7.1 No patch
738 716 dependents Pushed 4d ago 0% patched Full package profile →
@mistralai/mistralai-gcp npm = 1.7.1 No patch
738 716 dependents Pushed 4d ago 0% patched Full package profile →

Severity & Risk

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C None
I None
A None

What should I do?

5 steps

  1. Check installed versions: run npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp and grep lockfiles with the pattern from the advisory for versions 2.2.2-2.2.4 and 1.7.1-1.7.3.

  2. Extend the search to Docker images, CI build artifacts, Verdaccio or Nexus mirrors, and package caches.

  3. Scan for known malicious file hashes: router_init.js (ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c) and tanstack_runner.js (2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96).

  4. If any affected version is found: stop using it immediately, run npm cache clean --force, and rotate all API keys and cloud credentials that were in the environment during the install.

  5. Upgrade to the latest clean releases of all three packages and re-run deployments from clean state.

Classification

Supply Chain Code Execution API AML.T0010 AML.T0010.001 AML.T0011.001 AML.T0012 AML.T0074

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
8.4 - AI system supply chain
NIST AI RMF
GOVERN-1.7 - Processes for AI risk in third-party components
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-jgg6-4rpr-wfh7?

Three Mistral TypeScript SDK npm packages were backdoored via an automated worm linked to the broader TanStack supply chain incident, with compromised versions live on npm for approximately 3 hours on May 11-12, 2026. The attack targeted developer device credentials to publish trojanized patch releases across all three packages (@mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp), which together have 716 downstream dependents. Actual impact was zero: the dropper fatally misreferenced its payload file (router_init.js vs tanstack_runner.js), causing execFileSync to throw ENOENT before any code ran. The narrow exposure window and broken dropper drastically reduce urgency, but teams should still audit lockfiles, CI build artifacts, container images, and package caches for any of the nine affected versions, rotate secrets in scope if found, and update to clean releases — the attack pattern itself signals an ongoing automated campaign targeting AI SDK maintainers.

Is GHSA-jgg6-4rpr-wfh7 actively exploited?

No confirmed active exploitation of GHSA-jgg6-4rpr-wfh7 has been reported, but organizations should still patch proactively.

How to fix GHSA-jgg6-4rpr-wfh7?

1. Check installed versions: run `npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp` and grep lockfiles with the pattern from the advisory for versions 2.2.2-2.2.4 and 1.7.1-1.7.3. 2. Extend the search to Docker images, CI build artifacts, Verdaccio or Nexus mirrors, and package caches. 3. Scan for known malicious file hashes: `router_init.js` (ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c) and `tanstack_runner.js` (2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96). 4. If any affected version is found: stop using it immediately, run `npm cache clean --force`, and rotate all API keys and cloud credentials that were in the environment during the install. 5. Upgrade to the latest clean releases of all three packages and re-run deployments from clean state.

What systems are affected by GHSA-jgg6-4rpr-wfh7?

This vulnerability affects the following AI/ML architecture patterns: LLM API integrations, AI development pipelines, Agent frameworks, CI/CD build environments.

What is the CVSS score for GHSA-jgg6-4rpr-wfh7?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Mistral npm `@mistralai/mistralai`, `@mistralai/mistralai-azure`, `@mistralai/mistralai-gcp` were compromised by a supply chain attack related to the [TanStack security incident](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx). An automated worm associated with the attack led to **compromised npm package versions being published**. Current investigation indicates that an affected developer device was involved. We have no indication that Mistral infrastructure was compromised. The compromised versions were removed from npm. They were available only between May 11 at 22\:45 UTC and May 12 at 01\:53 UTC. **Previous and later versions are not affected by this advisory**. ## Impact The dropper **is broken**, it has no impact. - `setup.mjs` references `tanstack_runner.js` but the payload file is named `router_init.js` - `execFileSync` throws `ENOENT` and the tmpdir is wiped before payload runs. Bun gets downloaded to a tmpdir but no payload execution. We still recommend removing the packages, see below for remediation. ## Check whether you are affected You are affected if one of the package versions above was installed in any environment **during the exposure window** or is present in a lockfile, build artifact, container image, package cache, or deployment image. | Package | Affected versions | |---|---| | `@mistralai/mistralai` | `2.2.2`, `2.2.3`, `2.2.4` | | `@mistralai/mistralai-azure` | `1.7.1`, `1.7.2`, `1.7.3` | | `@mistralai/mistralai-gcp` | `1.7.1`, `1.7.2`, `1.7.3` | Check installed versions: ```bash npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp grep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2\.2\.[2-4]|1\.7\.[1-3]' \ package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null ``` Look for any of the following files - `router_init.js` (embedded in all @tanstack packages): `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c` - `tanstack_runner.js` (from git commit): `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96` - `@tanstack/setup` package.json: `7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b` You may also run this (read-only) [script](https://gist.github.com/beowolx2/a3ceeb18d1f1cec977d5cc6eaf41c96a) that will automatically flag known malicious files. You are not affected by this advisory if you did not install the affected package versions and they are not present in your lockfiles, build caches, deployment artifacts, or package mirrors. If the command finds an affected version, continue with the [remediation steps below](#remediate-affected-systems). If you use private package mirrors, caches, or container base images, check those copies too. ## Remediate affected systems 1. Stop using the affected package version immediately. 2. Clean systems where one of this package has been installed.

Exploitation Scenario

An automated worm — first demonstrated in the TanStack supply chain campaign — compromises a Mistral SDK maintainer's device or npm publishing token. The worm publishes three backdoored patch versions across the TypeScript client packages. Any automated Dependabot update, Renovate PR, or manual `npm install` run during the 3-hour window pulls the compromised package. The `setup.mjs` postinstall hook downloads Bun to a tmpdir and attempts to execute `tanstack_runner.js` as payload, but the actual embedded file is named `router_init.js`, causing ENOENT. In a working variant of this campaign, the payload would execute with full access to the developer's environment variables — harvesting MISTRAL_API_KEY, cloud credentials, and any other secrets present in the CI context, enabling persistent API abuse or lateral movement into cloud infrastructure.

Weaknesses (CWE)

CWE-506 Embedded Malicious Code Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N

References

Timeline

Published
May 18, 2026
Last Modified
May 18, 2026
First Seen
May 18, 2026

Related Vulnerabilities

CRITICAL GHSA-wx9m-wx4f-4cmg 9.6

mistralai 2.4.6: supply chain dropper executes on import

Same package: mistralai
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed