
At a Glance
GHSA-jgg6-4rpr-wfh7
Identifier
High
Potential Severity
Supply Chain
Attack Vector
Mistral npm clients
Affected
A fast-moving supply chain attack briefly compromised several of Mistral AI's official JavaScript client libraries on the npm registry. The incident, linked to a broader compromise affecting the TanStack ecosystem, resulted in malicious versions of the packages being published for just over three hours. A flaw in the attacker's code prevented the payload from executing, neutralizing the immediate threat [1].
A Supply Chain Scare for AI Developers
Between May 11 at 22:45 UTC and May 12 at 01:53 UTC, malicious code was injected into specific versions of the `@mistralai/mistralai`, `@mistralai/mistralai-azure`, and `@mistralai/mistralai-gcp` packages. The compromised versions were quickly identified and removed from the public registry. According to the official advisory, versions published before or after this narrow window are not affected [2].
"Current investigation indicates that an affected developer device was involved. We have no indication that Mistral infrastructure was compromised."
Mistral Security Advisory
A Fortunate Failure: The Broken Payload
The attack was ultimately unsuccessful due to a simple error. The malicious post-install script, `setup.mjs`, was designed to download and execute a payload. However, the script attempted to run a file named `tanstack_runner.js` that did not exist in the package. The actual payload file was named `router_init.js`.
This file name mismatch caused the execution process to fail with an error, preventing any malicious activity. While the script did download the Bun JavaScript runtime to a temporary directory, the directory was wiped before the payload could be invoked. This coding error by the attacker rendered the entire campaign inert for users of the Mistral packages.
IMMEDIATE ACTION
Verify your project dependencies and remove any affected Mistral package versions from all environments, caches, and lockfiles.
The Agentic Angle: Trust in AI Tooling
This incident is more than a standard software supply chain issue. It targeted the foundational tools that developers use to integrate Mistral's powerful large language models into applications. For teams building autonomous agents, a successful compromise of these libraries could be catastrophic. It would provide an attacker with a direct line into systems designed to operate with high levels of trust and access.
An agent's client library is its bridge to the model's intelligence. Poisoning that bridge could allow an attacker to intercept prompts, manipulate model outputs, or pivot from the application layer into sensitive infrastructure. The incident demonstrates that the security of an AI system is not just about the model's safety filters or the hosting infrastructure. The entire developer ecosystem, down to the package manager, is a critical part of the agentic threat surface.
Detection and Remediation
Organizations must check if they installed affected package versions during the exposure window. The compromised versions are `@mistralai/mistralai` versions 2.2.2 through 2.2.4, and `@mistralai/mistralai-azure` and `@mistralai/mistralai-gcp` versions 1.7.1 through 1.7.3. Administrators should use tools like `npm ls` to check installed packages and `grep` to scan lockfiles for these versions.
If an affected version is found, it should be removed immediately. Remediation must be thorough, extending beyond the local development environment. Teams should purge the compromised packages from build artifacts, container images, private package mirrors, and any deployment caches to ensure no trace of the malicious code remains in the software lifecycle.
References
- GitHub Security Advisory (GHSA-jgg6-4rpr-wfh7). https://github.com/advisories/GHSA-jgg6-4rpr-wfh7 (accessed 2026-05-19).
- Vendor security advisory (github.com). https://github.com/mistralai/client-ts/security/advisories/GHSA-jgg6-4rpr-wfh7 (accessed 2026-05-19).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.