top of page

TeamPCP Claims Sale of Mistral AI Repositories During Mini Shai-Hulud Attack

  • May 13
  • 3 min read

Key Findings


  • TeamPCP-linked forum account claims to be selling roughly 5GB of internal Mistral AI repositories and source code

  • The alleged archive contains approximately 450 repositories covering training systems, inference infrastructure, and enterprise AI projects

  • No independent verification of the authenticity of the claimed repositories has been established

  • The sale announcement surfaced days after Mini Shai-Hulud supply chain attacks compromised hundreds of npm and PyPI packages linked to Mistral AI

  • TeamPCP is demanding $25,000 for the data, threatening public release within a week if no buyer emerges

  • The threat actor claims to offer access to only one buyer

  • TeamPCP has previously been linked to package poisoning attacks targeting AI infrastructure and developer tooling


Background


The claims emerged following the Mini Shai-Hulud campaign, a coordinated supply chain attack that poisoned over 400 malicious package versions across 172 distinct packages on npm and PyPI. The attack occurred on May 11-12, 2026, targeting high-profile companies including Mistral AI, TanStack, OpenSearch, UiPath, and Guardrails AI. TeamPCP gained unauthorized access to legitimate CI/CD pipelines by hijacking OpenID Connect tokens, allowing them to publish malicious updates with valid SLSA provenance attestations.


The malware deployed in that campaign was designed to steal GitHub tokens, cloud credentials, CI/CD secrets, SSH keys, and developer environment data. It also featured self-propagation capabilities, using stolen credentials to infect other developers' projects. The worm avoided detection by routing stolen data through the decentralized Oxen network rather than traditional command-and-control servers.


Repository Claims and Contents


The forum post lists dozens of repository names that appear consistent with internal engineering environments and enterprise AI development workflows. Examples include mistral-inference-internal, mistral-finetune-internal, chatbot-security-evaluation, devstral-cloud, and pfizer-rfp-2025. The advertised 5GB archive allegedly contains repositories covering training systems, fine-tuning projects, benchmarking tools, dashboards, inference infrastructure, experiments, and future AI projects.


The threat actor shared sample repository names in compressed format, including finance.tar.gz, turbine.tar.gz, xformers.tar.gz, mistral-fabric.tar.gz, and mistral-lawyer-internal.tar.gz. Some repository names suggest enterprise partnerships and specialized AI applications, such as kyc-doc-agent and cma-customer-care-internal.


Verification and Evidence Status


The forum post does not include downloadable samples or technical proof confirming actual access to the repositories. The threat actor references previous TeamPCP activity involving Lightning AI and instructs potential buyers to verify the group's identity through prior attack notes and forum activity history.


As of the time of writing, there is no public evidence confirming that the files, if authentic, originated from Mistral AI's internal systems. Mistral AI has not publicly commented on the claims. However, the specificity of repository names and their alignment with known AI development practices lend some credibility to the assertion, though this alone does not constitute verification.


Connection to Mini Shai-Hulud Campaign


The timing and attribution to TeamPCP suggest a direct connection between this alleged data sale and the recent supply chain attack. The Mini Shai-Hulud campaign successfully infiltrated Mistral AI's development environment by compromising CI/CD publishing systems. This access could have potentially extended beyond public package repositories to internal development systems.


The earlier attack's success in stealing credentials and gaining infrastructure access raises questions about the scope of the compromise. Security researchers have warned that compromised developer credentials or publishing infrastructure could provide attackers with broader access to internal systems beyond what was immediately apparent from the poisoned packages.


Implications for AI Infrastructure Security


The escalation from poisoned packages to alleged sales of internal repositories represents a concerning shift in how threat actors target AI companies. Rather than limiting themselves to credential theft or malware distribution, TeamPCP now appears focused on monetizing intellectual property and internal development assets connected to AI infrastructure and enterprise tooling.


As AI companies expand their cloud-hosted training, inference, and autonomous agent systems, their developer credentials and CI/CD environments have become increasingly valuable targets. Access to internal repositories containing training data, model architectures, fine-tuning procedures, and enterprise integrations could provide competitors or malicious actors with significant advantages.


The incident underscores vulnerabilities in how CI/CD pipelines authenticate and authorize package releases, particularly through OIDC token hijacking. Security professionals have characterized this as a critical escalation because attackers compromised the pipeline infrastructure itself rather than targeting individual developers or endpoints.


Recommended Actions


Mistral AI has published security advisories confirming the compromise of its packages during the Mini Shai-Hulud attack. Researchers recommend that developers immediately audit their lockfiles for affected versions. Any environment containing mistralai 2.4.6 or Guardrails-ai 0.10.1 should be treated as fully compromised, requiring complete rotation of all credentials stored in those environments.


Organizations using Mistral AI packages or other affected libraries should review their access logs between May 11-12, 2026, when the poisoned packages were available. This includes monitoring for suspicious credential usage, unauthorized cloud resource provisioning, or unexpected data exfiltration during that timeframe.


Sources


  • https://hackread.com/teampcp-mistral-ai-repositories-mini-shai-hulud-attack/

  • https://hackread.com/teampcp-mini-shai-hulud-worm-npm-pypi-packages/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page