Security & Infrastructure Tools
TeamPCP Hackers Advertise Mistral AI Code Repos for Sale
TeamPCP hackers are offering nearly 450 Mistral AI repositories for sale at $25,000, with a one-week deadline before they leak the data. They claim the stolen data covers training, fine-tuning, benchmarking, model delivery, and inference materials from Mistral AI, tied to the TanStack supply-chain attack that also compromised CI/CD credentials and multiple npm/PyPI packages. Mistral AI says the breach touched some SDK packages but did not affect core repositories or hosted services, while OpenAI confirms related impacts and has rotated certificates and pushed updates for affected users.
TeamPCP Hackers Put 450 Mistral AI Repositories Up for Sale
OverviewA notorious hacker collective known as TeamPCP has announced intentions to leak source code tied to Mistral AI if a buyer cannot be found. In a post on a hacker forum, the group states they are seeking around $25,000 for a set of roughly 450 repositories. The matter underscores ongoing concerns about supply-chain security, open-source workflows, and the risks associated with compromised credentials in modern development environments.
The Threat and What Is Being Sold
- The attackers claim access to nearly 5 gigabytes of internal repositories and source code used by Mistral AI for training, fine-tuning, benchmarking, model delivery, and inference experiments.
- The asking price is stated as $25,000 in Bitcoin or equivalent, with a caveat: the offer is negotiable, the sale limited to a single buyer, and a threat to leak everything for free if no buyer emerges within a week.
- The material reportedly includes development assets that could enable attackers to reproduce experiments, fine-tuning pipelines, or benchmarks related to Mistral AI’s models.
- The posture taken by TeamPCP suggests a willingness to negotiate, with indications that they will shred or surrender the data only to the best offer.
How It Began: The Breach Chain
- The sequence traces back to the Mini Shai-Hulud software supply-chain incident, which targeted code repositories and package registries through compromised CI/CD credentials and legitimate workflows.
- The initial foothold occurred in official packages from TanStack and Mistral AI, believed to have been exploited via stolen credentials.
- Once inside, the breach spread to hundreds of software projects across npm and PyPI registries, touching a broad ecosystem including UiPath, Guardrails AI, and OpenSearch.
- Mistral AI stated that the attackers contaminated some of their SDK packages for a short period, signaling that downstream developers using those SDKs could have encountered tainted components.
What Was Contaminated and What Was Not
- The claim from TeamPCP centers on a subset of internal repositories and related source code used by Mistral AI for various stages of model development and evaluation.
- Mistral AI confirmed that while the attacker did compromise some SDK packages, the core code repositories themselves were not breached.
- Forensic investigators found that the impacted data did not reside in Mistral AI’s core repositories, and that hosted services, user data, and research/testing environments were not compromised.
- OpenAI also acknowledged a TanStack-related breach affecting a limited subset of internal source code repositories accessed by two employees, with a small set of credentials stolen but no evidence of broader exploitation.
Responses from Affected Parties
- Mistral AI stated that the breach was limited to certain SDK components and did not impact their primary codebase, hosted services, or user data. They emphasized that the core code repositories remained secure and that the incident did not compromise their ongoing research or testing environments.
- In parallel, OpenAI confirmed that the TanStack supply-chain attack affected a narrow portion of internal repositories accessed by a small number of employees. The response included routine security measures such as rotating code-signing certificates and advising macOS users to update OpenAI desktop apps to ensure compatibility and continued updates.
Broader Context and Implications
- The incident highlights the fragility of supply chains in software development, where compromised credentials and third-party packages can cascade into widespread risks across multiple organizations.
- The fact that TeamPCP is attempting to monetize access to a large set of internal assets raises concerns about the potential for model training data, proprietary configurations, benchmarking results, and fine-tuning parameters to be exposed or misused.
- The episode serves as a reminder to organizations relying on external packages and SDKs to implement rigorous credential management, continuous monitoring, and rapid incident response to contain any contamination that may occur in the wild.
- The involvement of multiple actors—Mistral AI, TanStack, OpenAI, and TeamPCP—illustrates how intertwined modern AI and software ecosystems are, with vulnerabilities in one corner potentially affecting many downstream users and partners.
Threat Negotiation and What It Indicates
- The seller’s stance emphasizes negotiation as a pathway to avoid public leakage, but also leaves room for the possibility of a full data dump if negotiations falter.
- The situation underscores the volatility of so-called “open-weight” AI ecosystems, where access to training data, model weights, and experimental pipelines can be valuable assets in the hands of threat actors.
- For developers and operators, the episode reinforces the importance of verifying the integrity of dependencies, validating package provenance, and applying robust access controls across CI/CD environments.
Related Developments and Ongoing Coverage
- Coverage related to this thread includes OpenAI’s security breach updates tied to the TanStack attack, broader supply-chain compromise reports, and discussions of how organizations are responding to similar threats.
- Industry observers are increasingly emphasizing proactive defense measures, such as zero-trust posture for development workflows, prompt revocation of compromised credentials, and rapid rotation of cryptographic signing keys.
Key Takeaways for Security Posture
- Supply-chain attacks can ripple across multiple organizations through trusted tooling and shared ecosystems.
- Even when core repositories appear unaffected, ancillary components like SDKs and internal tooling may be exposed, underscoring the need for comprehensive threat modeling that includes downstream artifacts.
- Rapid incident response, credential hygiene, and proactive monitoring remain essential to minimize exposure and limit the window during which attackers can leverage compromised assets.
Related Articles (for further reading)
- OpenAI confirms security breach in TanStack supply chain attack
- Shai Hulud attack ships signed malicious TanStack, Mistral npm packages
- Official SAP npm packages compromised to steal credentials
- Bitwarden CLI npm package compromised to steal developer credentials
- Backdoored Telnyx PyPI package pushes malware hidden in WAV audio
Contextual note: The sequence described here reflects publicly reported statements and agency advisories concerning the incident, and underscores the dynamic nature of the cybersecurity landscape where supply-chain integrity remains a central concern for AI developers and software platforms alike.
