If you build AI workflows with Mistral's Python SDK, version 2.4.6 of the mistralai package was backdoored on May 11-12, 2026 as part of the "Mini Shai-Hulud" supply chain campaign. PyPI has since quarantined the project. Here is what happened and what you need to check.

What Happened

Security researchers discovered that mistralai==2.4.6 was published to PyPI with malicious code injected into the package's __init__.py file. The compromised version was reported on May 12, 2026 at 00:21 UTC via Mistral's own GitHub issue tracker. PyPI responded by quarantining the entire mistralai project, blocking all new installs until remediation is complete.

The attack is part of a broader campaign called Mini Shai-Hulud that compromised 373 malicious package versions across 169 npm and PyPI packages. Other affected packages include TanStack and Mistral's Azure and GCP integrations.

Why It Matters

This attack is particularly dangerous because the malicious code runs on import, not installation. Standard sandboxed pip environments will not flag it during the install step. Any developer who ran import mistralai while version 2.4.6 was active on a Linux system may have their credentials exposed.

The backdoor downloads a secondary payload from attacker-controlled infrastructure and executes it as a background process. If your AI workflow runs in a Linux-based CI pipeline or cloud function that had this version installed, treat that environment as compromised.

Key Details

  • Affected Python package: mistralai==2.4.6 on PyPI
  • Also affected (npm): @mistralai/mistralai versions 2.2.2-2.2.4, plus GCP and Azure variants
  • Last known safe version: mistralai==2.4.5 (published May 7)
  • Only Linux systems were targeted by the payload
  • PyPI quarantined the project; new installs are blocked until Mistral remediates
  • Payload file to check for: /tmp/transformers.pyz

The SafeDep analysis notes the compromised version appeared legitimate in provenance records. Standard lockfile audits may not flag it retroactively unless you check for the specific version string.

What to Do Next

If you use Mistral in your AI pipelines, take these steps:

  1. Search your requirements.txt, pyproject.toml, and lockfiles for mistralai==2.4.6
  2. Check Linux environments for /tmp/transformers.pyz
  3. If the compromised version ran on any environment, rotate all credentials: API keys, CI/CD tokens, cloud credentials, and any secrets present at import time
  4. Pin to mistralai==2.4.5 or wait for Mistral to publish a clean 2.4.7+
  5. Audit recent GitHub Actions runs and publishing activity on any affected system

Check Mistral's website for updates on when the quarantine is lifted and a clean version is available.

Creator Workflow Impact

Most creators using Mistral through no-code interfaces, API playgrounds, or hosted tools are not affected. This primarily impacts developers who have mistralai as a dependency in Python projects: LLM orchestration scripts, agent frameworks, custom API wrappers, or any pipeline that uses Mistral models via Python code.

Mistral has been expanding quickly as an alternative API for creative AI workflows. If you are building on top of their platform, keep an eye on the status as the PyPI quarantine is resolved. Our earlier coverage of Mistral Workflows and Mistral Medium 3.5 covers the product side of what was affected.