{"data":{"id":"a7a92fe5-f337-49c0-bdb5-2ea88199731b","title":"GHSA-jgg6-4rpr-wfh7: Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp","summary":"Three Mistral AI npm packages (@mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp) were compromised in a supply chain attack (where malicious code is inserted into legitimate software dependencies) between May 11-12. However, the malicious code, called a dropper (a program designed to download and execute harmful payloads), was broken and failed to run because it referenced the wrong filename. The affected versions have been removed from npm.","solution":"1. Stop using the affected package versions immediately (2.2.2, 2.2.3, 2.2.4 for @mistralai/mistralai; 1.7.1, 1.7.2, 1.7.3 for @mistralai/mistralai-azure and @mistralai/mistralai-gcp). 2. Clean systems where these packages were installed. Check your installed versions using 'npm ls' or by searching your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock) for the affected version numbers. Also check build artifacts, container images, and package caches for the malicious files: router_init.js, tanstack_runner.js, or @tanstack/setup package.json.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-jgg6-4rpr-wfh7","publishedAt":"2026-05-18T17:55:53.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"low","severity":"low","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":["@mistralai/mistralai-gcp@= 1.7.3","@mistralai/mistralai-gcp@= 1.7.2","@mistralai/mistralai-azure@= 1.7.3","@mistralai/mistralai-azure@= 1.7.2","@mistralai/mistralai@= 2.2.4"],"affectedVendors":["Mistral"],"affectedVendorsRaw":["Mistral AI","@mistralai/mistralai","@mistralai/mistralai-azure","@mistralai/mistralai-gcp"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-05-18T17:55:53.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":null,"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}