A threat actor calling itself TeamPCP claims to have stolen roughly 450 internal repositories and 5GB of source code from French AI firm Mistral AI, demanding $25,000 to withhold the data from public release. The intrusion is tied to the broader "Mini Shai-Hulud" supply chain campaign that compromised CI/CD credentials across the npm and PyPI ecosystems. Mistral has confirmed a limited SDK package compromise but disputes the attackers' claim of deeper internal access.

What Happened

TeamPCP surfaced on a hacker forum offering nearly 450 stolen repositories tied to Mistral AI for $25,000, structured as a classic "buy it or leak it" ultimatum with a one-week deadline and flexible pricing. The group asserts the trove spans Mistral's development, training, benchmarking, and deployment systems, totaling approximately 5GB of internal data. Mistral AI publicly acknowledged that parts of its SDK packages were temporarily compromised in connection with the Mini Shai-Hulud supply chain incident, but stated the affected scope was confined to a developer environment, with no impact on core repositories, production systems, hosted services, or customer data. The campaign also touched OpenAI, which confirmed limited exposure of employee systems and internal repository access, prompting credential rotation and a mandatory macOS update push for compliance.

What Was Taken

According to TeamPCP, the stolen material includes around 450 internal repositories totaling roughly 5GB, covering source code spanning model development, training pipelines, benchmarking harnesses, and deployment tooling. Mistral's own assessment limits the confirmed loss to SDK package contamination introduced through the upstream supply chain compromise, not full source code of core platforms. The discrepancy between the actor's claims and the victim's confirmation is significant: TeamPCP is marketing a far deeper breach than Mistral has validated, a common extortion tactic intended to inflate perceived leverage. Related fallout at OpenAI is reported as limited internal repository access with no observed downstream exploitation.

Why It Matters

The incident underscores how supply chain compromise has become the dominant pathway into otherwise hardened AI labs. Mistral and OpenAI both maintain mature security programs, yet trusted upstream dependencies and stolen CI/CD credentials bypassed those controls and landed inside developer environments at frontier AI organizations. For defenders, the strategic concern is twofold: proprietary model code, training infrastructure, and benchmarking suites carry enormous competitive and dual-use value, and a single contaminated package can simultaneously infect dozens of high-value tenants. The cross-victim footprint, spanning Mistral, OpenAI, UiPath, Guardrails AI, and OpenSearch, confirms that Mini Shai-Hulud is an ecosystem-level event, not a series of isolated incidents.

The Attack Technique

The intrusion chain began with stolen CI/CD credentials tied to TanStack packages, which were then weaponized to publish malicious versions into the npm and PyPI registries. Downstream consumers who pulled the tainted packages ingested the malicious payload through routine dependency resolution, giving the attackers a foothold inside developer environments. From there, the campaign propagated laterally through trusted package relationships, reaching multiple organizations including Mistral's SDK build pipeline. The methodology mirrors the original Shai-Hulud worm pattern: compromise a maintainer, poison the registry, and let automation distribute the malware. TeamPCP's extortion appears to be a downstream monetization of access gained through this broader campaign, rather than a bespoke intrusion against Mistral.

What Organizations Should Do

1. Pin and verify dependencies. Lock npm and PyPI dependencies to known-good hashes, and enable signature verification where supported. Treat new releases of trusted packages as untrusted until reviewed.
2. Rotate CI/CD credentials and enforce short-lived tokens. Audit any long-lived registry, GitHub, or cloud tokens accessible to build pipelines, and replace them with OIDC-based federated credentials.
3. Audit for indicators tied to Mini Shai-Hulud and TanStack package compromise. Hunt for unusual postinstall scripts, outbound connections from build agents, and unexpected publish events on internal mirrors.
4. Segment developer environments from production. Ensure that compromise of a build host or developer laptop cannot pivot into model weights, customer data, or hosted inference infrastructure.
5. Monitor leak forums and dark web markets for mentions of internal repository names, project codenames, and developer handles to detect extortion exposure early.
6. Establish a documented response playbook for source code extortion, including legal, communications, and law enforcement engagement paths, ahead of a forced disclosure timeline.

Sources: Hackers Threaten Mistral AI Source Code Leak After Supply Chain Attack Exposes SDKs - UNDERCODE NEWS