Security Update: Mistral AI PyPI Supply Chain Attack — LiteLLM Not Impacted
On May 11, 2026, security researchers at Aikido Security discovered a coordinated supply chain attack dubbed "Mini Shai-Hulud" that published malicious versions of over 170 npm packages and 2 PyPI packages, including mistralai==2.4.6.
LiteLLM is not impacted. We call Mistral's API directly over HTTP via httpx and do not import the mistralai Python SDK anywhere in the codebase.
TLDR;​
- LiteLLM does not install or import the
mistralaipackage. We call Mistral's API the same way we call every other provider (viahttpx). The compromised package is never executed in any LiteLLM environment. - No LiteLLM user credentials were at risk from this attack. The malware runs at
import mistralaitime. Since LiteLLM never reaches that import, the payload never fires. - No action is required from LiteLLM users. If you have separately installed
mistralai==2.4.6in the same environment for your own application code, you should follow Mistral AI's guidance immediately.