Cyber Incident Victim: MistralAI
Date:
May 2026
Location:
France
Summary
The Mini Shai‑Hulud supply‑chain attack injected credential‑stealing code into hundreds of open‑source packages, including the MistralAI library, TanStack’s React Router and UiPath components, by exploiting an orphaned commit that abused overly permissive GitHub Actions workflows to publish malicious updates with valid provenance signatures. The malware, delivered as a concealed dependency that fetched a 2.3‑megabyte obfuscated payload executed via the Bun JavaScript engine, harvested cloud and developer credentials from AWS, GCP, Kubernetes, HashiCorp Vault, SSH keys and configuration files, then exfiltrated the data through the Session messaging app while persisting in developer tooling directories such as .vscode/ and .claude/. Researchers linked the campaign to the cloud‑focused group TeamPCP, noting limited community spread but significant exposure for enterprises that rely on the compromised packages in their build pipelines.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Mini Shai‑Hulud malware campaign was identified in May 2026 after security researchers observed malicious code injected into hundreds of open‑source packages across major registries. The attack specifically targeted prominent libraries such as TanStack’s React Router, UiPath, and MistralAI, with the React Router package alone recording more than twelve million weekly downloads. Threat actors used an orphaned commit pushed to a repository fork without a corresponding branch to trigger the automated release process, exploiting overly broad permissions in GitHub Actions workflows. A concealed dependency fetched a heavily obfuscated 2.3‑megabyte payload disguised as an initialization module, which upon execution employed the Bun JavaScript runtime to harvest security keys, passwords, AWS and Google Cloud credentials, Kubernetes configurations, HashiCorp Vault secrets, and local SSH keys. The malware behaved as a self‑propagating worm, publishing copies of itself to compromised projects while masquerading as automated commits from the Anthropic Claude bot, and it generated a new registry token containing a ransom note that threatened a destructive computer wipe if victims attempted to revoke the compromised access. Persistence was achieved by embedding the malicious scripts into the configuration files of widely used developer tools, notably Visual Studio Code and Anthropic’s Claude Code, ensuring execution whenever a project was opened or an AI coding session started. Stolen data was exfiltrated through the Session anonymous messaging service, which blended the traffic with ordinary encrypted chat flows to avoid detection.

Analysis attributed the campaign to TeamPCP, a cloud‑focused cybercriminal group that emerged in late 2025 and specializes in automating supply‑chain attacks against Docker and Kubernetes environments. Researchers noted that the group is known for disguising exfiltrated data as anonymous messaging traffic and for employing aggressive extortion tactics, including threats to erase victims’ computers if they attempt to remove the attackers’ access. Despite the malware’s capabilities, security observers reported very limited community spread, with Charlie Eriksen of Aikido Security stating that only a small number of installations were seen. In response, the maintainers of the affected packages pulled all compromised versions from the respective registries, and security teams confirmed that the malicious updates had been removed from distribution channels. No evidence was found that registry passwords themselves had been stolen during the incident. The attack highlighted a gap in existing defenses, which verify the provenance of updates but do not validate the safety of the code they contain.
Because the compromised libraries are maintained by volunteer contributors yet are integrated into the build pipelines of numerous enterprises, the incident was described as an all‑of‑society problem rather than a volunteer‑versus‑corporate issue. Security commentators observed that the campaign underscored a broader reckoning over how the software industry consumes open‑source components, noting that the line between a developer tool and critical infrastructure has become increasingly thin. When trusted tools used inside build systems are subverted, attackers can leverage the inherent trust of those tools to reach thousands of organizations without needing to breach each target directly. The Mini Shai‑Hulud episode thus illustrated how manipulation of trusted continuous integration pipelines can enable large‑scale credential theft and persistence across developer environments.
