Mistral npm Packages, Supply Chain Compromise, No CVE (Critical)

Listen to this Post

The attack leverages a compromised developer device to publish malicious npm package versions of @mistralai/mistralai, @mistralai/mistralai-azure, and @mistralai/mistralai-gcp. An automated worm, associated with the TanStack security incident, injected malicious code into the packages. The affected versions (2.2.2-2.2.4 for mistralai, 1.7.1-1.7.3 for the azure and gcp variants) were available only between May 11 22:45 UTC and May 12 01:53 UTC. Upon installation, a dropper script setup.mjs references tanstack_runner.js, which attempts to execute a payload file named router_init.js. The dropper is broken: execFileSync throws ENOENT because the expected payload file is missing. Additionally, the temporary directory is wiped before the payload can run. Bun runtime is downloaded to a tmpdir, but no payload execution occurs due to these failures. The malicious files include router_init.js (hash ab4fcada…), tanstack_runner.js (hash 2ec78d55…), and @tanstack/setup package.json (hash 7c12d861…). Although the attack chain is non-functional, the presence of these artifacts indicates compromise. The compromised versions were removed from npm, and Mistral infrastructure was not breached. Systems that installed any affected version during the exposure window must be cleaned.

dailycve form:

Platform: Mistral npm packages
Version: 2.2.2-2.2.4,1.7.1-1.7.3
Vulnerability: Supply chain attack
Severity: Critical
date: 18 May 2025

Prediction: 12 May 2025

Analytics under heading What Undercode Say:

Check installed versions
npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp
Search lockfiles for affected versions
grep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2.2.[2-4]|1.7.[1-3]' \
package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
Find known malicious files
find . -name "router_init.js" -o -name "tanstack_runner.js" -o -name "setup.mjs" 2>/dev/null
Verify file hashes
sha256sum router_init.js 2>/dev/null | grep ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
sha256sum tanstack_runner.js 2>/dev/null | grep 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
sha256sum node_modules/@tanstack/setup/package.json 2>/dev/null | grep 7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b
Read-only detection script (hypothetical)
curl -s https://security.mistral.ai/check_malicious.sh | bash

Exploit:

No working exploit exists because the dropper is broken (execFileSync throws ENOENT, tmpdir wiped before payload runs). However, the attack chain attempted to download Bun to a temporary directory and execute router_init.js, which would have granted remote access. The worm self-propagated via npm publish if the developer’s token was exposed.

Protection from this CVE

  • Immediately remove affected versions: `npm uninstall @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp`
    – Update to unaffected versions (e.g., >2.2.4 for mistralai, >1.7.3 for azure/gcp)
  • Rotate npm tokens and review CI/CD secrets
  • Scan lockfiles, container images, and build caches for the malicious hashes
  • Use `npm audit` and supply chain tools (Socket, Snyk) to detect tampered dependencies

Impact

Successful exploitation would have allowed arbitrary code execution on any machine installing the affected packages, leading to credential theft, backdoors, and lateral movement. Due to the broken dropper, the actual impact is none – no payload execution occurred. Nevertheless, the presence of malicious artifacts indicates a supply chain breach, requiring system cleanup to prevent future risks if the dropper is fixed in a subsequent attack.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top