Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp — GHSA-JGG6-4RPR-WFH7
GitHub · GitHub · GHSA-JGG6-4RPR-WFH7
ID
GHSA-JGG6-4RPR-WFH7
GHSA-JGG6-4RPR-WFH7
Date
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
low
low
Summary
Mistral npm `@mistralai/mistralai`, `@mistralai/mistralai-azure`, `@mistralai/mistralai-gcp` were compromised by a supply chain attack related to the [TanStack security incident](https://github.com/TanStack/router/security/advisories/GHSA-g7cv-rxg3-hmpx). An automated worm associated with the attack led to **compromised npm package versions being published**. Current investigation indicates that an affected…
Product
npm: @mistralai/mistralai | npm: @mistralai/mistralai-azure | npm: @mistralai/mistralai-gcp
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.