"We are looking for $25k BIN or they can pay this and we will shred these permanently, only selling to the best offer and limited to one person, if we cannot find a buyer within a week we will leak all of these for free to the forums," reads the TeamPCP sales pitch — an offer anchored to a surprisingly modest price and a hard deadline for what it claims is nearly 5 gigabytes of internal repositories and source code.
TeamPCP's demand and claimed haul
The hacker group operating under the name TeamPCP posted on a forum seeking $25,000 for a set of nearly 450 repositories it says were taken from Mistral AI. The actor claims roughly 5 gigabytes of "internal repositories and source code" used for training, fine-tuning, benchmarking, model delivery, and inference in experiments and future projects. The post invites negotiation — stating the price is flexible and buyers may submit alternate offers — but also threatens to publish the material publicly within a week if no buyer is found.
How the attackers moved: stolen CI/CD credentials and supply-chain contamination
Mistral AI told BleepingComputer that the incident followed the Mini Shai-Hulud software supply-chain attack and began with the compromise of official packages from TanStack and Mistral AI through stolen CI/CD credentials and legitimate workflows. According to the company, that initial compromise spread to hundreds of other software projects on the npm and PyPI registries, including packages associated with UiPath, Guardrails AI, and OpenSearch.
The company acknowledged that "they [the hackers] contaminated some of our SDK packages for a brief period." Mistral said a developer device was impacted by the TanStack supply-chain attack, a step that the company's advisory identifies as the entry point for the breach.
Mistral AI's forensic conclusions and the scope of what was accessed
In comments to BleepingComputer, Mistral AI emphasized that forensic investigators determined the impacted data "was not part of the core code repositories." The company stated explicitly that "neither our hosted services, managed user data, nor any of our research and testing environments were compromised." That account limits the company's description of impact while acknowledging contamination of some SDK packages.
Collateral effects: OpenAI and the response steps taken
OpenAI confirmed it was one of the organizations affected by the TanStack supply-chain impact. According to reporting, the incident touched systems of two OpenAI employees who had access to "a limited subset of internal source code repositories." A small set of credentials was stolen from those repositories, but investigators "found no evidence that they were used in additional attacks."
OpenAI's mitigation steps included rotating the code-signing certificates exposed in the incident and issuing a user-facing warning: macOS users must update their OpenAI desktop apps before June 12, or the software may fail to launch and stop receiving updates.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: The incident underscores the risk that stolen CI/CD credentials and legitimate workflows can propagate contamination across registries such as npm and PyPI. Teams maintaining SDKs and package workflows will likely re-examine credential hygiene and the integrity of CI/CD pipelines in light of the contamination Mistral reported.
- Procurement leaders and enterprise buyers: The episode links a third-party package provider (TanStack) to downstream impacts at multiple organizations, illustrating how dependencies can create exposure even when core services and hosted user data remain intact. Procurement and supply-chain risk assessments will be watching for similar transitive dependencies.
- End users of affected desktop software: OpenAI's warning — that macOS users must update desktop apps before June 12 to avoid launch failures and loss of updates — is a specific, time-sensitive action that users can take now to mitigate a documented consequence of the supply-chain event.
The immediate storyline is straightforward: a threat actor is offering to sell or, failing sale, to publish alleged internal Mistral AI source code taken after a supply-chain compromise of packages and CI/CD credentials. Mistral's forensic findings narrow the breach to non-core repositories and brief SDK contamination, and OpenAI's disclosures show the same supply-chain vector affected other organizations. Whether TeamPCP's asking price will secure a solitary buyer, or whether the material will be released publicly after the week-long deadline, remains the next concrete hinge point in this episode.
