What Happened

On May 14, 2026, a threat actor operating under the name TeamPCP posted on a hacker forum advertising roughly 450 internal Mistral AI repositories for sale at $25,000. The archive allegedly contains about 5 gigabytes of source code covering AI training, fine-tuning, benchmarking, model delivery, and inference infrastructure.

The deadline is brutal: no buyer within a week, and everything gets leaked for free.

Mistral AI confirmed hackers compromised a codebase management system — but the company is drawing a careful line about how deep the damage goes.

The Attack That Started It All

This didn't come out of nowhere. According to BleepingComputer's reporting by Bill Toulas on May 12, the Mini Shai-Hulud campaign is a large-scale software supply chain attack that hit hundreds of packages across npm and PyPI starting May 11.

TeamPCP exploited three chained vulnerabilities in TanStack's GitHub workflows: a risky `pull_request_target` workflow configuration, GitHub Actions cache poisoning, and theft of OIDC tokens from runner memory. That gave them the keys to publish malicious packages that looked completely legitimate — carrying valid SLSA provenance attestations, valid Sigstore signatures, and legitimate GitHub Actions credentials.

From a developer's perspective, there was NO visible sign anything was wrong. The packages looked cryptographically authentic.

Application security firm StepSecurity confirmed the infected packages moved through legitimate CI/CD pipelines. Endor Labs counted over 160 compromised packages on npm. Aikido recorded 373 malicious package-version entries. Socket tracked 416 compromised artifacts across npm and PyPI.

The malware was designed to steal everything a developer touches: GitHub tokens, AWS credentials, Kubernetes service account tokens, SSH keys, npm publish tokens, and CI/CD secrets.

Who Got Hit Beyond Mistral

Mistral wasn't alone. The attack spread to TanStack, UiPath, Guardrails AI, and OpenSearch. Bitwarden's CLI package and official SAP packages were also compromised in earlier Shai-Hulud iterations.

OpenAI confirmed to BleepingComputer that two of its employees had systems impacted, exposing access to "a limited subset of internal source code repositories." A small set of credentials was stolen. OpenAI says there's no evidence those credentials were used further, and it rotated the exposed code-signing certificates.

What Mistral Is Saying — And What to Make of It

Mistral AI told BleepingComputer that the breach started when a developer device was impacted by the TanStack supply chain attack. Their SDK packages were "contaminated for a brief period."

The company's official line: "Neither our hosted services, managed user data, nor any of our research and testing environments were compromised."

Mistral also says forensic investigation determined the impacted data was not part of core code repositories.

The forum post advertising the stolen data includes repository names like "mistral-inference-internal," "mistral-finetune-internal," "chatbot-security-evaluation," "devstral-cloud," and — notably — "pfizer-rfp-2025." Those names are consistent with genuine internal engineering environments, not what "non-core" data typically looks like.

As TechNadu reported, Mistral's official security advisories page has not confirmed a breach attributed to TeamPCP. The company acknowledged the TanStack incident but hasn't explicitly validated the stolen repositories as authentic.

Mistral confirmed something happened. They deny it's catastrophic. The hackers are selling what looks like detailed internal tooling. Someone is either minimizing or exaggerating — or both.

The $25,000 Price Tag

$25,000 for the internal repositories of a leading European AI company is remarkably cheap. Mistral AI has raised over €1 billion in funding. Its technology underpins enterprise AI deployments across Europe and beyond.

That price either means the data is less valuable than advertised — supporting Mistral's "non-core" claim — or TeamPCP is desperate for a quick cash-out and knows the clock is ticking before Mistral fully locks down its systems.

If no buyer emerges, everything reportedly goes public on a hacker forum.

What's Being Overlooked

Most tech outlets are treating this as a standard "company confirms breach, damage limited" story.

The Shai-Hulud campaign has been running since September 2025 — multiple iterations, each time exposing hundreds of thousands of developer secrets in auto-generated GitHub repositories. This is a sustained, professional operation.

The fact that TeamPCP successfully abused valid cryptographic signatures and legitimate CI/CD pipelines means the standard security advice — "only use signed, verified packages" — is now insufficient as a sole defense. Developers who did everything right still got burned.

A critical question remains unanswered: if one developer's compromised device can cascade into 450 internal repositories being up for auction, what does that say about how AI companies are protecting the intellectual property that makes them valuable?

Immediate Steps

For developers: Audit every package installed between May 11 and May 12, 2026. Stop using affected versions immediately. Rotate every credential that touched those environments — GitHub tokens, AWS keys, SSH keys, all of it.

For businesses using Mistral's APIs or SDKs: Demand a full incident report. "Hosted services weren't compromised" is a company statement, not an independent audit.

For anyone paying attention: The AI boom is built on open-source infrastructure that is actively being weaponized. The attackers aren't smashing windows — they're walking in through unlocked doors that the industry built and called "secure." That needs to change before the next Shai-Hulud wave makes $25,000 look like a bargain.