GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI package
The mistralai PyPI package version 2.4.6 contains a malicious dropper that executes on import on Linux. No v2.4.6 tag, commit, or release workflow run exists in this repository, the legitimate latest version before the upload was 2.4.5, and the upload bypassed this repository’s normal release pipeline (which uses PyPI Trusted Publishing).
The mistralai PyPI project is currently quarantined.
References
- github.com/advisories/GHSA-wx9m-wx4f-4cmg
- github.com/mistralai/client-python/issues/523
- github.com/mistralai/client-python/security/advisories/GHSA-wx9m-wx4f-4cmg
- safedep.io/mass-npm-supply-chain-attack-tanstack-mistral
- socket.dev/blog/tanstack-npm-packages-compromised-mini-shai-hulud-supply-chain-attack
- www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystem
Code Behaviors & Features
Detect and mitigate GHSA-wx9m-wx4f-4cmg with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →