PyPI Attack Poisoned 400 Packages, Stole AI Keys

Microsoft flagged a supply chain attack targeting Mistral AI through PyPI, where over 400 malicious package versions spread across 170 packages went undetected. The attack exposed deep vulnerabilities in the trust chain behind AI development tools. The malware silently targeted cloud credentials, GitHub tokens, and cryptocurrency wallet secrets. The incident highlights how easily compromised packages can infiltrate widely used developer ecosystems without immediate detection.