Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp - @mistralai/mistralai-azure

Description

Mistral npm @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp were compromised by a supply chain attack related to the TanStack security incident. An automated worm associated with the attack led to compromised npm package versions being published.

Recommendation

No fix is available yet. Followings are affected versions:

• **= 1.7.3

  = 1.7.2

  = 1.7.1**

References

• GHSA-jgg6-4rpr-wfh7
• CWE-506

Related Issues

• Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp - @mistralai/mistralai - Vulnerability
• Broken dropper in @mistralai/mistralai, @mistralai/mistralai-azure, @mistralai/mistralai-gcp - Vulnerability
• Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - CVE-2024-35255
• Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability - @azure/identity - CVE-2024-35255

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@mistralai/mistralai-azure