Gallery

Contacts

411 University St, Seattle, USA

engitech@oceanthemes.net

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
Skip to content
Technology Daily Brief

CSA Post-Mortem Confirms 172-Package AI Supply Chain Campaign, and a First-Documented SLSA Level 3 Attestation Bypass

3 min read Cloud Security Alliance AI Safety Initiative Partial Moderate S
The Cloud Security Alliance's AI Safety Initiative has published a formal post-mortem on the Shai-Hulud/Megalodon supply chain attack, documenting two coordinated waves that compromised 172 AI-related packages and 5,561 GitHub repositories, including the official Mistral AI SDK. More significant than the scale is the method: per the CSA report, this is the first publicly documented case of a supply chain exploit generating valid SLSA Build Level 3 provenance attestations by hijacking a legitimate build pipeline, not by forging signatures externally.
ai-supply-chain-security csa shai-hulud megalodon slsa build-attestation npm pypi mistral-ai tanstack guardrails-ai open-source-ai ai-safety
Wave 2 malicious commits, 5,718 in 6 hours

Key Takeaways

  • Per the CSA post-mortem, Wave 1 compromised 172 packages across 404 malicious versions, including the official Mistral AI SDK (mistralai==2.4.6), TanStack, Guardrails AI, and UiPath.
  • Per CSA, this is the first publicly documented SLSA Build Level 3 attestation bypass via a compromised build pipeline, not a signature forgery, requiring a revised threat model for provenance verification.
  • Wave 2 pushed 5,718 malicious commits to 5,561 repositories in under six hours, per CSA, velocity consistent with an automated, infrastructure-backed campaign.
  • Persistence hooks may remain in Claude Code and VS Code environments active during the compromise window, audit before treating those environments as clean.
Compromised AI packages (Wave 1)
172
Across 404 malicious versions, per CSA post-mortem

Shai-Hulud/Megalodon Exposure Assessment

Dependency exposure high 172 packages across npm/PyPI, audit mistralai==2.4.6, TanStack, Guardrails AI, UiPath immediately
Attestation trust model high SLSA Build Level 3 attestations no longer sufficient as standalone trust signal, first documented bypass via pipeline compromise per CSA
IDE/tool persistence medium Claude Code and VS Code active during window may carry persistence hooks, audit before reuse

SLSA Build Level 3 was supposed to be the strong verification standard. If your package carried a valid Level 3 attestation, the build provenance was supposed to be trustworthy. The Shai-Hulud/Megalodon attack, per the Cloud Security Alliance’s formal post-mortem, demonstrates that this assumption is now documented as exploitable.

Per the CSA report, Wave 1 (“Mini Shai-Hulud”) compromised 172 npm and PyPI packages across 404 malicious versions. Named packages reported to be affected include the official Mistral AI SDK (`mistralai==2.4.6`), TanStack, Guardrails AI, and UiPath. For context: if your team uses the Mistral Python SDK, TanStack query libraries, or Guardrails AI in any pipeline that was active during the Wave 1 window, audit your dependency lockfiles now. Don’t wait for your next scheduled review.

The SLSA exploit is the finding that changes the conversation. Per the CSA post-mortem, the attackers compromised a legitimate build pipeline, they didn’t forge external signatures. They generated valid SLSA Build Level 3 provenance attestations from inside a hijacked build system. That’s a category shift. Previously, SLSA attestation bypass meant detecting a forgery. Now it means detecting a compromised pipeline that still produces technically valid attestations. The verification toolchain hasn’t changed. The threat model has.

Wave 2 escalated further. Per the CSA report, 5,718 malicious commits were pushed to 5,561 GitHub repositories in under six hours. That velocity, roughly one repository per four seconds, suggests an automated campaign with pre-staged access, not manual exploitation. The scale and speed together indicate a level of infrastructure investment beyond opportunistic attack.

Immediate Security Actions, Shai-Hulud/Megalodon

  • Audit dependency lockfiles for mistralai==2.4.6, TanStack, Guardrails AI, UiPath
  • Reassess SLSA Build Level 3 attestation as standalone trust signal
  • Audit Claude Code and VS Code environments active during compromise window
  • Review CI/CD pipeline access logs for Wave 2 window (6-hour commit flood)

The persistence risk

The CSA post-mortem flags that persistence hooks may exist in Claude Code and VS Code if either tool was active during the compromise window. If you run either tool against code that was in a compromised repository during the Wave 1 or Wave 2 windows, treat that environment as potentially affected until you’ve audited it.

Why it matters

Our prior coverage on May 16 documented the TanStack attack and the broader three-attack pattern as it was breaking. What the CSA formal post-mortem adds is scope and technical classification. The individual incidents are now confirmed as a single coordinated two-wave campaign. The SLSA bypass is newly classified as a first-documented case. These aren’t incremental updates, they change the required response.

Context

The CSA report places this alongside the Hugging Face pickle attacks from earlier this month and the TanStack compromise as part of an accelerating pattern of AI supply chain targeting. The targets aren’t random, they’re AI developer toolchain components with high install volumes. That’s a selection criterion, not a coincidence.

Warning

The SLSA Build Level 3 bypass documented by the CSA is the finding that changes your trust model, not just your package list. A valid attestation no longer means a clean build if the pipeline itself was compromised. Update your supply chain security assumptions accordingly.

What to watch

The CSA AI Controls Matrix and STAR for AI program will likely incorporate findings from this post-mortem into updated supply chain security guidance. Watch for updates to SLSA specification maintainers’ response to the Build Level 3 bypass documentation, the spec itself may need revision.

TJS synthesis

Security teams need to act on three fronts immediately: audit any pipeline that included `mistralai==2.4.6`, TanStack, Guardrails AI, or UiPath during the compromise window; reassess SLSA Build Level 3 attestation as a sufficient trust signal in isolation; and if Claude Code or VS Code was active against affected repositories, treat those environments as compromised pending investigation. The formal CSA post-mortem gives you the documentation authority to make this case to leadership.

Related Resources

Meta Llama Tools & Guides

More coverage of Mistral AI

1
Technology Deep Dive May 24
What the CSA's Shai-Hulud/Megalodon Post-Mortem Requires of AI Developer Security Teams, Now
View Source
More Technology intelligence
View all Technology
Deep Dive Available What the CSA's Shai-Hulud/Megalodon Post-Mortem Requires of AI Developer Security Teams, Now

Related Coverage

More from May 24, 2026

Markets California's WARN Act Is Under Review. What Employers Running AI Automation Programs... Governor Newsom signed Executive Order N-6-26 on May 21, setting a November 17 deadline for... Markets Who Profits When the Federal AI Review Dies: A Market Stakeholder Map On May 22, President Trump cancelled an AI executive order hours before its scheduled signing,... Markets Altimeter, Dragoneer, Greenoaks, Sequoia: The Four Firms Reportedly Co-Leading Anthropic's $30B Round Four major growth equity firms are reportedly each committing approximately $2 billion to co-lead Anthropic's...

Stay ahead on Technology

Get verified AI intelligence delivered daily. No hype, no speculation, just what matters.

Explore the AI News Hub