GHSA-JGG6-4RPR-WFH7
Vulnerability from github – Published: 2026-05-18 17:55 – Updated: 2026-05-18 17:55Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published.
Current investigation indicates that an affected developer device was involved. We have no indication that Mistral infrastructure was compromised. The compromised versions were removed from npm. They were available only between May 11 at 22\:45 UTC and May 12 at 01\:53 UTC. Previous and later versions are not affected by this advisory.
Impact
The dropper is broken, it has no impact.
- setup.mjs references tanstack_runner.js but the payload file is named router_init.js
- execFileSync throws ENOENT and the tmpdir is wiped before payload runs. Bun gets downloaded to a tmpdir but no payload execution.
We still recommend removing the packages, see below for remediation.
Check whether you are affected
You are affected if one of the package versions above was installed in any environment during the exposure window or is present in a lockfile, build artifact, container image, package cache, or deployment image.
| Package | Affected versions |
|---|---|
@mistralai/mistralai |
2.2.2, 2.2.3, 2.2.4 |
@mistralai/mistralai-azure |
1.7.1, 1.7.2, 1.7.3 |
@mistralai/mistralai-gcp |
1.7.1, 1.7.2, 1.7.3 |
Check installed versions:
npm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp
grep -n -A 4 -B 2 -E '@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2\.2\.[2-4]|1\.7\.[1-3]' \
package-lock.json pnpm-lock.yaml yarn.lock 2>/dev/null
Look for any of the following files
- router_init.js (embedded in all @tanstack packages): ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c
- tanstack_runner.js (from git commit): 2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96
- @tanstack/setup package.json: 7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b
You may also run this (read-only) script that will automatically flag known malicious files.
You are not affected by this advisory if you did not install the affected package versions and they are not present in your lockfiles, build caches, deployment artifacts, or package mirrors.
If the command finds an affected version, continue with the remediation steps below. If you use private package mirrors, caches, or container base images, check those copies too.
Remediate affected systems
- Stop using the affected package version immediately.
- Clean systems where one of this package has been installed.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai"
},
"versions": [
"2.2.2"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-azure"
},
"versions": [
"1.7.1"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-gcp"
},
"versions": [
"1.7.1"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai"
},
"versions": [
"2.2.3"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai"
},
"versions": [
"2.2.4"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-azure"
},
"versions": [
"1.7.2"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-azure"
},
"versions": [
"1.7.3"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-gcp"
},
"versions": [
"1.7.2"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@mistralai/mistralai-gcp"
},
"versions": [
"1.7.3"
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-506"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T17:55:53Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Mistral npm `@mistralai/mistralai`, `@mistralai/mistralai-azure`, `@mistralai/mistralai-gcp` were compromised by a supply chain attack related to the [TanStack security incident](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx). An automated worm associated with the attack led to **compromised npm package versions being published**.\n\nCurrent investigation indicates that an affected developer device was involved. We have no indication that Mistral infrastructure was compromised. The compromised versions were removed from npm. They were available only between May 11 at 22\\:45 UTC and May 12 at 01\\:53 UTC. **Previous and later versions are not affected by this advisory**.\n\n## Impact\n\nThe dropper **is broken**, it has no impact. \n- `setup.mjs` references `tanstack_runner.js` but the payload file is named `router_init.js`\n - `execFileSync` throws `ENOENT` and the tmpdir is wiped before payload runs. Bun gets downloaded to a tmpdir but no payload execution.\n\nWe still recommend removing the packages, see below for remediation.\n\n## Check whether you are affected\n\nYou are affected if one of the package versions above was installed in any environment **during the exposure window** or is present in a lockfile, build artifact, container image, package cache, or deployment image.\n\n| Package | Affected versions |\n|---|---|\n| `@mistralai/mistralai` | `2.2.2`, `2.2.3`, `2.2.4` |\n| `@mistralai/mistralai-azure` | `1.7.1`, `1.7.2`, `1.7.3` |\n| `@mistralai/mistralai-gcp` | `1.7.1`, `1.7.2`, `1.7.3` |\n\nCheck installed versions:\n\n```bash\nnpm ls @mistralai/mistralai @mistralai/mistralai-azure @mistralai/mistralai-gcp\ngrep -n -A 4 -B 2 -E \u0027@mistralai/(mistralai|mistralai-azure|mistralai-gcp)|2\\.2\\.[2-4]|1\\.7\\.[1-3]\u0027 \\\n package-lock.json pnpm-lock.yaml yarn.lock 2\u003e/dev/null\n```\n\nLook for any of the following files\n- `router_init.js` (embedded in all @tanstack packages): `ab4fcadaec49c03278063dd269ea5eef82d24f2124a8e15d7b90f2fa8601266c`\n- `tanstack_runner.js` (from git commit): `2ec78d556d696e208927cc503d48e4b5eb56b31abc2870c2ed2e98d6be27fc96`\n- `@tanstack/setup` package.json: `7c12d8614c624c70d6dd6fc2ee289332474abaa38f70ebe2cdef064923ca3a9b`\n\nYou may also run this (read-only) [script](https://gist.github.com/beowolx2/a3ceeb18d1f1cec977d5cc6eaf41c96a) that will automatically flag known malicious files.\n\nYou are not affected by this advisory if you did not install the affected package versions and they are not present in your lockfiles, build caches, deployment artifacts, or package mirrors.\n\nIf the command finds an affected version, continue with the [remediation steps below](#remediate-affected-systems). If you use private package mirrors, caches, or container base images, check those copies too.\n\n## Remediate affected systems\n\n1. Stop using the affected package version immediately.\n2. Clean systems where one of this package has been installed.",
"id": "GHSA-jgg6-4rpr-wfh7",
"modified": "2026-05-18T17:55:53Z",
"published": "2026-05-18T17:55:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mistralai/client-ts/security/advisories/GHSA-jgg6-4rpr-wfh7"
},
{
"type": "PACKAGE",
"url": "https://github.com/mistralai/client-ts"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.