TeamPCP Claims Mistral AI Breach While Company Confirms TanStack Supply Chain Compromise

A threat actor identifying as TeamPCP has claimed responsibility for breaching Mistral AI, the French artificial intelligence company confirmed on Tuesday, in an incident that remains under active investigation. The company simultaneously disclosed that it was impacted by the TanStack supply chain attack, which involved malicious packages distributed through NPM and PyPI package repositories. Mistral stated there is currently no evidence that its internal infrastructure was accessed as a result of either incident.

The TanStack supply chain compromise, which security researchers have been tracking across recent weeks, involved tampered packages designed to exfiltrate sensitive data from developer environments. Mistral confirmed exposure to this vector, though the company emphasized that the scope of impact appears limited. The dual-front situation—external breach claim paired with confirmed supply chain exposure—has prompted heightened scrutiny from the cybersecurity community, with analysts noting the difficulty of independently verifying claims made by threat actors before forensic investigations conclude.

The incident underscores the growing attractiveness of AI companies as targets for threat actors, who are increasingly exploiting both direct intrusion and third-party software dependencies to gain footholds. Supply chain attacks against widely-used development tools have emerged as a preferred initial access vector, allowing attackers to compromise numerous downstream targets through a single poisoned package. Security teams managing dependencies at AI firms have been advised to audit NPM and PyPI integrations, rotate compromised credentials, and monitor for indicators of exfiltration tied to the TanStack campaign.