TeamPCP Hackers Put 450 Mistral AI Repos and 5GB of Source Code Up for Sale at $25,000

The TeamPCP threat group, the same crew behind the May 11 TanStack npm supply chain attack, is openly auctioning what it claims is the internal source code of Mistral AI. According to a listing posted to a hacker forum and surfaced by BleepingComputer on May 22, the attackers are asking $25,000 BIN for roughly 450 repositories totaling about 5 GB — code Mistral uses for “training, fine-tuning, benchmarking, model delivery, and inference in experiments and future projects.”

The terms are blunt. “We are looking for $25k BIN or they can pay this and we will shred these permanently, only selling to the best offer and limited to one person,” the group wrote, adding that if no buyer surfaces within a week, “we will leak all of these for free to the forums.” Independent confirmation came from OECD.AI’s incident tracker, TechRadar and The Cyber Signal, all of which independently verified the listing.

Mistral has confirmed the breach but is drawing a tight perimeter around what was lost. In a statement provided to reporters, the Paris-based lab said attackers “contaminated some of our SDK packages for a brief period” via the Mini Shai-Hulud worm — the same CI/CD-credential-stealing payload that hit TanStack — but insisted that “neither our hosted services, managed user data, nor any of our research and testing environments were compromised.” In other words: an engineer’s machine got hit, the attackers pivoted through legitimate CI workflows, and SDK plumbing leaked, but the company says the production model weights, customer prompts and unreleased research are not part of the auction.

The Mistral hit is the second AI lab confirmed casualty of the same campaign. OpenAI disclosed earlier in the week that two employee Macs were compromised in the May 11 TanStack incident, rotated iOS, macOS and Windows code signing certificates, and said it would re-sign all affected binaries by June 12. Independent researchers tracking TeamPCP (also known as DeadCatx3, PCPcat, ShellForce and CanisterWorm) say the group has now chained credential theft across GitHub Actions, Docker Hub, OpenVSX, npm and PyPI, with more than 500 npm packages and an estimated 3,800 internal GitHub repositories caught up in the cascade since March.

For Mistral, the timing is brutal. The company shipped Medium 3.5 earlier in May and is in the middle of a heavily marketed European enterprise push, with cybersecurity deals at banks frozen out of Anthropic’s Mythos. A confirmed source code leak — even if it never includes weights — hands rivals and red teams a map of how the company builds, tests and ships models. And the broader story TeamPCP is telling is increasingly hard to ignore: the soft underbelly of frontier AI right now is not the model, it is the developer laptop that pushed yesterday’s commit.