GHSA-wx9m-wx4f-4cmg: Malicious dropper in mistralai 2.4.6 PyPI package
Summary
Version 2.4.6 of the mistralai package on PyPI contained malicious code that runs when the package is imported on Linux systems. The malicious code downloads and executes a file from a remote server, and versions 2.4.5 and earlier are not affected.
Solution / Mitigation
Pin mistralai to version 2.4.5 or earlier. The source text states: 'Pin mistralai to 2.4.5 or earlier. While the PyPI project is quarantined, install from this repository at a known-good tag, e.g. git+https://github.com/mistralai/client-python.git@v2.4.5.' Additionally, on affected Linux hosts, rotate every credential reachable from the importing process and review host and cloud audit logs for activity from approximately 2026-05-12 00:05 UTC onward.
Classification
Affected Vendors
Affected Packages
Related Issues
Original source: https://github.com/advisories/GHSA-wx9m-wx4f-4cmg
First tracked: May 18, 2026 at 02:00 PM
Classified by LLM (prompt v3) · confidence: 95%