Hackers Claim to Be Selling Mistral AI Source Code for $25K: What We Know

In the case of Mistral AI, attackers inserted malicious code into one of the official SDK releases distributed through package repositories.

What Happened With the Mistral AI SDK

Mistral confirmed that the incident involved compromised SDK package releases, not a breach of its core systems. According to the company’s security advisory:

• Malicious versions of several npm and PyPI packages were briefly published.
• The affected versions included packages such as @mistralai/mistralai (2.2.2–2.2.4) and the Python package mistralai (2.4.6).
• The compromised releases were uploaded between May 11–12, 2026 and quickly removed once discovered.

The malicious Python package executed code automatically when imported. It downloaded a secondary payload named transformers.pyz from a remote server and launched it as a background process on Linux systems.

Did Attackers Breach Mistral AI’s Infrastructure?

Mistral’s investigation states that its internal infrastructure was not compromised. The company says forensic analysis traced the issue to a compromised developer device, not to a breach of internal production systems.

That distinction matters: a developer workstation compromise could allow attackers to publish malicious packages without gaining access to internal infrastructure or core repositories.

Why the Alleged Leak Is Still Unverified

Despite the forum claim, several factors prevent investigators from confirming the authenticity of the supposed data dump.

First, no sample files or repository metadata have been publicly released that could be checked against known Mistral codebases. Second, no third‑party security firm has verified the data. Finally, Mistral itself has not acknowledged any confirmed repository theft.

In practice, verifying a leak of this type would require evidence such as:

• Valid Git commit history tied to private repositories
• Matching internal repository structure
• Cryptographic signatures or build artifacts
• Confirmation from affected maintainers

None of these indicators have been presented publicly so far.

How This Fits Into TeamPCP’s Broader Campaign

The claim appears amid a wider wave of attacks targeting the open‑source software supply chain. Security researchers link TeamPCP to repeated compromises of popular development packages, often designed to steal credentials from developer environments and CI pipelines.

The Mini Shai‑Hulud campaign demonstrates how quickly these attacks can spread: hundreds of malicious package versions were published within hours across multiple ecosystems.

Within that context, the alleged Mistral repository sale could represent one of two possibilities:

• A genuine attempt to monetize data obtained from compromised developer machines
• An opportunistic claim meant to capitalize on the visibility of the supply‑chain incident

At the moment, public evidence is insufficient to determine which explanation is correct.

What Developers Should Take From the Incident

Regardless of the repository‑sale claim, the confirmed SDK compromise highlights the broader risks facing modern software supply chains. Attacks targeting package ecosystems can rapidly propagate malware to thousands of systems if developers install compromised versions before they are removed.

For organizations using affected ecosystems, common defensive steps include:

• auditing installed package versions
• rotating credentials that may have been exposed
• monitoring CI/CD environments for unusual activity

The situation surrounding the alleged Mistral AI source code sale remains fluid. Until verifiable proof appears, security researchers treat the claim as unconfirmed speculation tied to a very real supply‑chain attack.