Hackers Put Mistral AI Source Code Up for Sale After Supply Chain Attack

A hacker group has put nearly 450 internal Mistral AI repositories up for sale on a dark web forum, demanding $25,000 for what it claims is roughly 5GB of stolen source code. The Mistral AI data breach stems from a sophisticated supply chain attack that compromised developer environments across the broader open-source software ecosystem. Mistral has confirmed partial exposure but disputes the scope of the theft.

How Team PCP Got In

On May 11, 2026, between 19:20 and 19:26 UTC, TeamPCP published 84 malicious npm package artifacts across 42 packages in the TanStack namespace. TanStack is a widely used collection of open-source UI libraries - @tanstack/react-router alone receives more than 12 million weekly downloads.

The attack chained three GitHub Actions vulnerabilities in sequence. The group forked the TanStack/router repository, opened a pull request that triggered a pull_request_target workflow, and poisoned the GitHub Actions cache with a malicious pnpm store. When legitimate maintainer merges later triggered the release workflow, the poisoned cache was restored and attacker-controlled binaries extracted OIDC tokens directly from the GitHub Actions runner process memory.

Those tokens gave TeamPCP the ability to publish packages using TanStack's own trusted pipeline. The malicious versions spread to MistralAI, UiPath, and dozens of other maintainers within hours. This is also the first documented case of a malicious npm package carrying valid SLSA provenance: a cryptographic certificate meant to verify that a package was built from a trusted source. In this case, the certificate was legitimate. The pipeline was not.

What the Worm Did

Within five hours, TeamPCP had published over 400 malicious versions across 172 distinct packages, hitting high-profile targets including TanStack, Mistral AI, OpenSearch, Guardrails AI, and UiPath.

The malware deployed across this campaign, dubbed MiniShai-Hulud, is designed to harvest credentials and spread autonomously. It targets AWS IAM credentials, HashiCorp Vault secrets, and GitHub tokens, then moves laterally through the victim's infrastructure to find additional targets. Stolen data was exfiltrated through three separate channels: a typosquat domain named git-tanstack[.]com, the decentralized Session messenger network, and GitHub API dead drops where stolen tokens were used to create Dune-themed repositories.

On developer machines, the malware also installs a persistent daemon that polls GitHub every 60 seconds. It is a campaign built for persistence, not just opportunistic access. The compromised packages targeted developer environments, harvesting credentials from common locations and deploying malware on Linux systems.

Mistral AI Confirms the Breach

Mistral AI acknowledged it was caught in the wave. A company spokesperson confirmed that attackers temporarily compromised one of its codebase management systems on May 12, 2026, through a third-party software supply chain attack.

Mistral said it quickly neutralized the attack, secured its infrastructure, and launched a forensic investigation with relevant authorities. The attackers accessed certain non-core code repositories only. Hosted services, managed user data, and research and testing environments were not affected.

Mistral's own SDK packages were among those poisoned during the campaign. An automated worm associated with the attack led to compromised npm and PyPI package versions being published, with investigation pointing to an affected developer device as the entry point.

Hackers Now Selling the Data

Despite Mistral's containment narrative, TeamPCP moved to monetize whatever it extracted. The group is advertising 450 repositories on the dark web for $25,000, claiming the data contains internal source code used for training, fine-tuning, benchmarking, model delivery, and inference across experiments and future projects. The sale is listed as exclusive — only one buyer will receive the data. TeamPCP has also extended an offer to Mistral itself to buy back the repositories. If no buyer is found within a week, the group has threatened to leak everything publicly for free.

The forum post claims the material includes internal AI projects, software systems, dashboards, testing tools, customer deployments, experiments, and unreleased development work. One repository reportedly references Pfizer, though there is no evidence the pharmaceutical company was breached.

The claims remain unverified. No data samples have been published, and Mistral's advisories do not confirm a breach of the scope TeamPCP is advertising.

A Group With a Pattern

This incident did not come from nowhere. TeamPCP has previously been linked to the compromise of Aqua Security's Trivy scanner in March 2026 and the Bitwarden CLI npm package in April 2026. The Trivy incident was particularly severe, leading to a data breach at the European Commission's Europa.eu web hub where over 90GB of sensitive data was exfiltrated.

The TanStack supply chain compromise carries a CVSS score of 9.6 out of 10, rated critical severity. Security researchers tracking the group note that each wave of Mini Shai-Hulud builds on the previous one. The ability to produce validly attested malicious packages is a meaningful escalation. Defenders can no longer treat a clean provenance certificate as a reliable signal.

What This Means for AI Companies

Attacks targeting AI software environments are moving beyond poisoned packages and stolen credentials. Threat actors are now focusing on internal development systems, enterprise tooling, and AI infrastructure itself.

For Mistral, the reputational stakes are particularly high. The company markets itself as Europe's leading sovereign AI alternative, built on principles of transparency and data control. A confirmed breach at the scale TeamPCP is advertising could expose competitive intelligence and client-facing development work and undermine the trust that positioning depends on.

The Mistral AI data breach, even in its disputed form, reflects a structural problem that extends well beyond one company. Developer pipelines, CI/CD credentials, and open-source package ecosystems have become attack surfaces that threat actors are actively and systematically exploiting. Organizations that depend on open-source tooling need to treat their build environments with the same scrutiny as their production infrastructure, because for groups like TeamPCP, those two things are now the same target.