And if you’re an AI developer who’s been trusting “verified” packages from PyPI, this one hits close to home. Here’s what I did after the news broke — and what you should do too.

Quick TL;DR: On May 11, 2026, an attack group called TeamPCP pushed 373 malicious versions across 169 npm and PyPI packages — including Mistral AI’s mistralai==2.4.6. And this was the first documented supply chain attack with valid SLSA provenance. So the old verification playbook doesn’t work anymore. I’ll walk through exactly what happened and how to check your own dependencies.

What Actually Happened with the Mini Shai-Hulud Attack

Look, the attack chain is honestly terrifying in its elegance. TeamPCP compromised TanStack’s GitHub Actions workflow through a pull_request_target vulnerability — a classic Pwn Request. From there, they poisoned the build cache, extracted OIDC tokens straight out of CI process memory, and used those tokens to sign and publish malicious versions under legitimate package names.

373 versions. 169 packages. And a CVSS score of 9.6 — critical by any measure.

One of those packages was Mistral AI’s official PyPI package: mistralai==2.4.6. Installing it would silently collect your API keys, GitHub PATs, cloud credentials, and bot tokens, then ship them to an attacker-controlled server. And the malware even had geographic self-destruct: if it detected an Israeli or Iranian IP, it would run rm -rf / to destroy evidence.

But here’s the kicker — the whole thing has been called a “cross-ecosystem supply chain worm” because it didn’t stop at npm. It jumped to PyPI specifically targeting the AI development toolchain — the same frameworks you’d pair with tools like Headroom for AI agent workflows. Every LLM wrapper, every embedding library — they’re all potential entry points now.

The SLSA Paradox: When a “Verified” Package Is Actually Malware

I’ve been following SLSA (Supply-chain Levels for Software Artifacts) for a couple of years. And the concept is solid: cryptographic provenance that proves a package was built from source in a trusted CI pipeline. Build Level 3 is supposed to be the gold standard — signed by the CI system, attested by the identity provider.

Here’s the thing that makes Mini Shai-Hulud genuinely different from every supply chain attack before it: all 373 malicious versions carried valid SLSA Build Level 3 attestations. And the signatures checked out. But the tooling said “verified.” Yet the content was stealing credentials.

The problem is architectural. Here’s why: SLSA verifies who built the package, not what’s in the source code. But if the CI pipeline itself is compromised — which it was, through the OIDC token extraction — the provenance attestation is meaningless. The signature is valid, but the signal is noise.

For AI developers, this should be a wake-up call. We’ve been putting all our trust in a single verification layer. And this attack proved that’s not enough.

How to Verify Your AI Packages Right Now

I spent an afternoon running these tools across my own machines — a Ryzen 9 workstation running Ubuntu 24.04 with about 140 pip packages and a MacBook Air M3 with another 80 or so. Here’s what I found.

Start with pip audit

First thing I fired up was pip-audit. It scans your installed packages against the Python Advisory Database.

pip install pip-audit
pip-audit

On my Ubuntu box it found 3 medium-severity issues I had no idea about. One was an outdated cryptography package I’d ignored for months — CVE-2024-12796, a moderate DoS issue. Still, nothing critical — but it was a reminder that I wasn’t keeping up with my own dependency hygiene.

Sure, you can also use safety if you prefer a different advisory source:

pip install safety
safety check

Still, Safety’s database tends to update faster than PyPI’s native advisory feed in my experience. But the free tier only covers known CVEs, so for a quick scan, pip-audit is good enough.

Check your lockfile against reality

If you’re not using lockfiles for your Python projects, start today. And here’s a quick sanity check I run now:

diff <(pip freeze) <(pip list --format=freeze)

If the second list has packages the first one doesn’t, something unexpected got pulled in as a transitive dependency. That’s exactly how supply chain attacks spread — they hitch a ride on a legitimate-looking dependency and fly under the radar.

SLSA verification (with a giant asterisk)

Sure, you can technically use slsa-verifier to check provenance:

slsa-verifier verify --source-uri github.com/mistralai/mistral-framework --source-tag v2.4.5

The tool will tell you the provenance is valid. But after Mini Shai-Hulud, that output doesn’t mean what it used to. The compromised packages would have passed this check. So what’s the alternative?

I’ve been cross-referencing the SHA of each downloaded wheel against the CI build logs on GitHub Actions. Sure, it’s manual and tedious — but it’s the only way to catch a pipeline-level compromise. For high-value packages — anything with API key access — it’s worth the extra minute.

Use uv for better defaults

I’ve been slowly moving my projects to uv — Astral’s Python package manager. And this attack gave me more motivation. uv ships with security defaults that pip just doesn’t have:

• Lockfile by default: uv.lock is auto-generated and validated on every install
• Hash verification: uv checks package hashes against the lockfile — silently, without extra flags
• No post-install scripts by default: pip runs setup.py and hooks automatically; uv doesn’t

uv pip install mistralai==2.4.5  # known-safe version

Still, uv isn’t a silver bullet. The compromised package would have installed fine with uv too — the attack happened at the CI level, not the package format level. But uv’s lockfile-first approach makes it harder for unexpected versions to creep in.

I also tested this on my M3 MacBook. uv pip install with the same requirements file produced bit-identical lockfiles across both machines. That kind of reproducibility matters when you’re trying to audit what’s actually in your environment.

Build Long-Term Supply Chain Security Habits

Beyond the one-time checks, I’ve adopted a few habits that have caught issues early:

Audit your dependency graph regularly. Don’t just run pip list — use pipdeptree to see the full transitive tree. You’ll often find packages pulling in dependencies you didn’t know existed.

Pin everything. No loose pins like mistralai>=2.4.0. Use exact versions in requirements.txt or pyproject.toml. A malicious minor version bump shouldn’t auto-install on your next deploy.

Set up Dependabot or Renovate. Both tools will flag dependency changes before they hit production. Still, they’re not perfect — Renovate missed the Mistral payload because it only checks version bumps, not content changes. But they’re better than nothing.

Review your CI permissions. The pull_request_target trigger that compromised TanStack is dangerous in any workflow that checks out and runs untrusted code. Switch to pull_request with manual approval wherever possible. Rotate your OIDC tokens and CI credentials regularly — TeamPCP extracted tokens that had been sitting in CI memory for weeks.

Subscribe to the right feeds. I follow GitHub Advisory DB and the PyPI security mailing list — and use tools like last30days-skill to surface security chatter across Reddit, HN, and X. The alert for CVE-2026-45321 came through GitHub within hours of disclosure.

I also added Socket.dev to my workflow. It scans every PR’s dependency diff — flags typo-squatted names, manifest tampering, new network access — before you merge. It’s free for open source projects. So far, I’ve had it catch one false-positive and one genuine “this dependency gained an install script out of nowhere” warning in the last month.

The Bottom Line: Never Trust a Single PyPI Security Signal

Mini Shai-Hulud was a wake-up call for the entire AI development ecosystem. But the attack proved that “trust but verify” is dead — especially when the verification layer itself can be bypassed.

For AI developers, this matters more than it does for generic Python projects. AI toolchains pull in dozens of transitive dependencies. Every agent framework, every LLM client, every vector database is a potential attack surface. And let’s be honest — the Mistral package wasn’t targeted by accident. AI packages are high-value because they have access to API keys, model weights, and sometimes training data.

Here’s my advice in one sentence: treat every pip install as a risk, verify your dependencies with multiple tools, and never trust a single security signal. Run pip-audit today. Check your lockfiles. And if you’re deploying AI pipelines in production, add a dependency review step to your CI.

Stay safe out there.

Disclosure: Some links below are affiliate links. If you make a purchase through them, I earn a small commission at no extra cost to you.

Quick resources for dependency security:

If you don't have a Linux machine handy to run these scans, spinning up a $2.50/month VPS on Vultr is the cheapest way to get a clean Ubuntu environment for testing your own dependency audit workflow.

For teams looking to automate these checks in CI, DigitalOcean's App Platform integrates directly with GitHub and makes scheduled dependency scanning straightforward — no infrastructure management needed.

And if you want to go deeper on securing your Python supply chain, Black Hat Python (2nd Edition) covers attack surface analysis and defensive coding patterns that complement the verification tools discussed above.