PyPI: Malicious 'fastapi' Version 0.136.3 Compromises 111M Weekly Downloads
On 2026-05-23, a malicious version of the popular Python web framework fastapi (111M weekly downloads) was disclosed on PyPI alongside a suspicious companion package, mistral-evals, in a coordinated 35-minute takedown window.
Key findings
- Malicious fastapi version 0.136.3 (111M weekly downloads) was disclosed alongside mistral-evals in a 35-minute coordinated window
- The compromised fastapi package exfiltrates environment variables — a credential-harvesting technique targeting API keys and tokens
- Mistral-evals (version 999.0.0) is a low-download companion package with similar command-execution behavior
- Any system that installed fastapi 0.136.3 should be considered fully compromised; all secrets must be rotated
- The attack represents a maintainer account takeover of one of PyPI's most depended-upon frameworks
Compromise of a Core Python Framework
On 2026-05-23, a malicious version of fastapi — one of the most widely adopted Python web frameworks, with 111 million weekly downloads and nearly half a billion monthly installs — was disclosed on PyPI. The rogue release, version 0.136.3, was published alongside a suspicious companion package called mistral-evals (version 999.0.0) within a 35-minute window, suggesting a coordinated takedown push by security teams after the compromise was detected.
Fastapi, first published in December 2018 and now a cornerstone of the Python web ecosystem, is depended upon by thousands of downstream projects. A compromise at this scale represents one of the most consequential supply-chain incidents targeting PyPI in recent memory.
The Attack Pattern
While the two packages do not share an obvious naming prefix or scope — one is a legitimate high-profile framework, the other a newly registered package with an inflated version number — the timing is the tell. Both advisories were published within 35 minutes of each other on the same day, consistent with a coordinated disclosure after a maintainer account takeover.
The mistral-evals package (version 999.0.0) is a clear anomaly: it receives only 2 weekly downloads and was published with an artificially high version number, a pattern often seen in test or staging packages used during an attack. Its name mirrors the legitimate Mistral AI ecosystem, suggesting an attempt to piggyback on the AI/LLM tooling trend.
Malicious Behavior
OpenSSF Package Analysis flagged the compromised fastapi 0.136.3 for suspicious post-install behavior. The malware was observed executing commands and exfiltrating environment variables — a classic credential-harvesting technique that targets API keys, database credentials, and cloud provider tokens stored in environment configuration. The behavioral findings reference configuration file patterns such as project.optional, pyproject.toml, and setup.py, indicating the malicious code may have been injected into or triggered through the Python build system.
The mistral-evals package exhibited similar command-execution behavior, reinforcing the conclusion that both packages were part of the same campaign — one targeting a high-value framework, the other serving as a secondary vector or decoy.
Severity and Impact
The severity of this incident cannot be overstated. Any system that installed fastapi 0.136.3 should be considered fully compromised. The package's post-install script had the ability to read and exfiltrate environment variables, meaning secrets, tokens, and credentials stored in CI/CD pipelines, cloud deployments, and local development environments may have been exposed. Organizations using fastapi in production should assume that any machine or container that pulled version 0.136.3 — even briefly — has been breached.
Detection and Response
Developers and DevOps teams should immediately audit their dependency trees for fastapi version 0.136.3 and the mistral-evals package at any version. Run the following checks:
bash pip show fastapi | grep Version pip show mistral-evals
If version 0.136.3 of fastapi appears in any requirements.txt, pyproject.toml, or lock file, treat the environment as compromised. Rotate all credentials, API keys, and cloud tokens from a separate, trusted machine. Review PyPI token logs for unauthorized publishes originating from your account. Also check for the mistral-evals package, which may have been installed as a secondary payload.
Broader Context
This incident underscores the escalating threat to the Python package ecosystem. While typosquatting remains the most common attack vector, direct maintainer account takeovers of top-50 packages — like this fastapi compromise — represent a far more dangerous class of supply-chain attack. The coordinated disclosure within a tight 35-minute window suggests that automated monitoring systems detected the rogue package quickly, but the window between publication and takedown may have been long enough for automated CI/CD pipelines to pull the malicious version into production builds. As package registries grow in complexity and dependency trees deepen, the blast radius of a single compromised maintainer account continues to expand.