Blog
Skip to main content

Security Update: Mistral AI PyPI Supply Chain Attack — LiteLLM Not Impacted

Mubashir Osmani
Mubashir Osmani

On May 11, 2026, security researchers at Aikido Security discovered a coordinated supply chain attack dubbed "Mini Shai-Hulud" that published malicious versions of over 170 npm packages and 2 PyPI packages, including mistralai==2.4.6.

LiteLLM is not impacted. We call Mistral's API directly over HTTP via httpx and do not import the mistralai Python SDK anywhere in the codebase.

TLDR;

  • LiteLLM does not install or import the mistralai package. We call Mistral's API the same way we call every other provider (via httpx). The compromised package is never executed in any LiteLLM environment.
  • No LiteLLM user credentials were at risk from this attack. The malware runs at import mistralai time. Since LiteLLM never reaches that import, the payload never fires.
  • No action is required from LiteLLM users. If you have separately installed mistralai==2.4.6 in the same environment for your own application code, you should follow Mistral AI's guidance immediately.

What happened

TeamPCP published mistralai==2.4.6 to PyPI — a version Mistral AI never released. The package contained a backdoor injected into src/mistralai/client/__init__.py that fires at import time on Linux hosts. When triggered, it downloads a file named transformers.pyz from a hardcoded attacker-controlled IP address (83.142.209.194) and executes it as a detached background process.

The filename was deliberately chosen to resemble Hugging Face's widely used transformers library, giving it cover in ML environments.

The payload functions as a credential stealer, targeting secrets stored on the host — cloud credentials, CI/CD tokens, GitHub access tokens, and API keys. Researchers also found a geofenced destructive branch with a 1-in-6 probability of running rm -rf / on systems detected to be in certain regions.

PyPI has since quarantined the entire mistralai project. The attack was part of a broader campaign that hit TanStack (42 packages), UiPath (65 packages), Guardrails AI, OpenSearch, and others across both npm and PyPI.

What to check if you use LiteLLM

No LiteLLM-specific action is needed. If you want to be thorough:

  1. Confirm mistralai is not in your environment.

    pip show mistralai

    If the output shows version 2.4.6, remove it immediately and follow Mistral AI's security advisory.

  2. Check your environment for the dropper. Look for /tmp/transformers.pyz on any Linux hosts that had mistralai==2.4.6 installed, and for unexpected outbound connections to 83.142.209.194.

  3. Rotate credentials if you were affected. If mistralai==2.4.6 was installed and imported in your environment, treat all secrets present on that host as compromised: cloud credentials, API keys, CI/CD tokens, and GitHub tokens.

Our broader approach to dependency security

If you discover a security issue in LiteLLM, please report it through our bug bounty program. We pay out for P0 (supply chain) and P1 (unauthenticated proxy access) issues.

References

🚅
LiteLLM Enterprise
SSO/SAML, audit logs, spend tracking, multi-team management, and guardrails — built for production.
Learn more →

We're hiring

Like what you see? Join us

Come build the future of AI infrastructure.