Advisories for Npm/@Mistralai/Mistralai package

On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …

Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published. Current investigation indicates that an affected developer device was involved. We have no indication that Mistral infrastructure was compromised. The compromised versions were removed from npm. They were available only between May 11 at 22:45 UTC and …