Listen to this Post
The attack leverages a compromised developer device to publish malicious npm package versions of @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. An automated worm, associated with the TanStack security incident, injected malicious code into the packages. The affected versions (2.2.2-2.2.4 for mistralai, 1.7.1-1.7.3 for the azure and gcp variants) were available only between May 11 22:45 UTC and May 12 01:53 UTC. Upon installation, a dropper script setup.mjs references tanstack_runner.js, which attempts to execute a payload file named router_init.js. The dropper is broken: execFileSync throws ENOENT because the expected payload file is missing. Additionally, the temporary directory is wiped before the payload can run. Bun runtime is downloaded to a tmpdir, but no payload execution occurs due to these failures. The malicious files include router_init.js (hash ab4fcada…), tanstack_runner.js (hash 2ec78d55…), and @tanstack/setup package.json (hash 7c12d861…). Although the attack chain is non-functional, the presence of these artifacts indicates compromise. The compromised versions were removed from npm, and Mistral infrastructure was not breached. Systems that installed any affected version during the exposure window must be cleaned.
dailycve form:
Platform: Mistral npm packages
Version: 2.2.2-2.2.4,1.7.1-1.7.3
Vulnerability: Supply chain attack
Severity: Critical
date: 18 May 2025
Prediction: 12 May 2025
Analytics under heading What Undercode Say:
Check installed versions npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp Search lockfiles for affected versions grep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2.2.[2-4]|1.7.[1-3]' \ package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null Find known malicious files find . -name "router_init.js" -o -name "tanstack_runner.js" -o -name "setup.mjs" 2>/dev/null Verify file hashes sha256sum router_init.js 2>/dev/null | grep ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c sha256sum tanstack_runner.js 2>/dev/null | grep 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96 sha256sum node_modules/@tanstack/setup/package.json 2>/dev/null | grep 7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b Read-only detection script (hypothetical) curl -s https://security.mistral.ai/check_malicious.sh | bash
Exploit:
No working exploit exists because the dropper is broken (execFileSync throws ENOENT, tmpdir wiped before payload runs). However, the attack chain attempted to download Bun to a temporary directory and execute router_init.js, which would have granted remote access. The worm self-propagated via npm publish if the developer’s token was exposed.
Protection from this CVE
- Immediately remove affected versions: `npm uninstall @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp`
– Update to unaffected versions (e.g., >2.2.4 for mistralai, >1.7.3 for azure/gcp) - Rotate npm tokens and review CI/CD secrets
- Scan lockfiles, container images, and build caches for the malicious hashes
- Use `npm audit` and supply chain tools (Socket, Snyk) to detect tampered dependencies
Impact
Successful exploitation would have allowed arbitrary code execution on any machine installing the affected packages, leading to credential theft, backdoors, and lateral movement. Due to the broken dropper, the actual impact is none – no payload execution occurred. Nevertheless, the presence of malicious artifacts indicates a supply chain breach, requiring system cleanup to prevent future risks if the dropper is fixed in a subsequent attack.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

