Malicious 'fastapi' Version 0.136.3 Compromises 111M Weekly Downloads on PyPI
A malicious version of the popular Python web framework fastapi was published on PyPI, exfiltrating environment variables and compromising systems with 111 million weekly downloads.
On May 23, 2026, a malicious version of fastapi — one of the most widely adopted Python web frameworks, with 111 million weekly downloads and nearly half a billion monthly installs — was disclosed on PyPI. The rogue release, version 0.136.3, was published alongside a suspicious companion package called mistral-evals (version 999.0.0) within a 35-minute window, suggesting a coordinated takedown push by security teams after the compromise was detected.
Fastapi, first published in December 2018 and now a cornerstone of the Python web ecosystem, is depended upon by thousands of downstream projects. A compromise at this scale represents one of the most consequential supply-chain incidents targeting PyPI in recent memory.
While the two packages do not share an obvious naming prefix or scope — one is a legitimate high-profile framework, the other a newly registered package with an inflated version number — the timing is the tell. Both advisories were published within 35 minutes of each other on the same day, consistent with a coordinated disclosure after a maintainer account takeover. The mistral-evals package (version 999.0.0) is a clear anomaly: it receives only 2 weekly downloads and was published with an artificially high version number, a pattern often seen in test or staging packages used during an attack. Its name mirrors the legitimate Mistral AI ecosystem, suggesting an attempt to piggyback on the AI/LLM tooling trend.
OpenSSF Package Analysis flagged the compromised fastapi 0.136.3 for suspicious post-install behavior. The malware was observed executing commands and exfiltrating environment variables — a classic credential-harvesting technique that targets API keys, database credentials, and cloud provider tokens stored in environment configuration. The behavioral findings reference configuration file patterns such as project.optional, pyproject.toml, and setup.py, indicating the malicious code may have been injected into or triggered through the Python build system. The mistral-evals package exhibited similar command-execution behavior, reinforcing the conclusion that both packages were part of the same campaign — one targeting a high-value framework, the other serving as a secondary vector or decoy.
The severity of this incident cannot be overstated. Any system that installed fastapi 0.136.3 should be considered fully compromised. The package's post-install script had the ability to read and exfiltrate environment variables, meaning secrets, tokens, and credentials stored in CI/CD pipelines, cloud deployments, and local development environments may have been exposed. Organizations using fastapi in production should assume that any machine or container that pulled version 0.136.3 — even briefly — has been breached.
Developers and DevOps teams should immediately audit their dependency trees for fastapi version 0.136.3 and the mistral-evals package at any version. Run the following checks: pip show fastapi | grep Version and pip show mistral-evals. If version 0.136.3 of fastapi appears in any requirements.txt, pyproject.toml, or lock file, treat the environment as compromised. Rotate all credentials, API keys, and cloud tokens from a separate, trusted machine. Review PyPI token logs for unauthorized publishes originating from your account. Also check for the mistral-evals package, which may have been installed as a secondary payload.
This incident underscores the escalating threat to the Python package ecosystem. While typosquatting remains the most common attack vector, direct maintainer account takeovers of top-50 packages — like this fastapi compromise — represent a far more dangerous class of supply-chain attack. The coordinated disclosure within a tight 35-minute window suggests that automated monitoring systems detected the rogue package quickly, but the window between publication and takedown may have been long enough for automated CI/CD pipelines to pull the malicious version into production builds. As package registries grow in complexity and dependency trees deepen, the blast radius of a single compromised maintainer account continues to expand.