Hackers have launched a new **Shai-Hulud** supply-chain attack, successfully compromising 19 packages on the **PyPI** (Python Package Index). These packages, downloaded hundreds of thousands of times, were trojanized to deliver malware aimed at stealing sensitive developer secrets. Many of the affected packages are popular bioinformatics tools, including **Dynamo**, **Spateo**, **CoolBox**, **U-FISH**, and **Napari-UFISH**. ### Discovery and Technical Mechanism The new campaign was brought to light by application security company **Socket**. Their analysis revealed 37 malicious releases across the 19 packages, all appearing to originate from a single maintainer. The malicious artifacts incorporated a `*-setup.pth` file and an obfuscated JavaScript payload named `_index.js`. The `PTH` file's execution is triggered simply by starting Python, which then attempts to download the **Bun** JavaScript runtime from **GitHub** to run the bundled script. **Socket** researchers explained the insidious nature of this mechanism: "That means a compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger: the next Python, pip, test run, notebook kernel, CI job, or package-management command that starts Python may process the malicious .pth." ### Connection to Broader Shai-Hulud Campaign **Socket** believes this attack is an extension of the broader **"Shai-Hulud" campaign**, citing several similarities in the techniques employed. The firm is tracking this incident alongside previous attacks, bringing the total number of malicious artifacts attributed to **Shai-Hulud** activities to 453. ### Targeted Secrets and Exfiltration An in-depth analysis of the JavaScript payload uncovered its extensive targeting of developer secrets, including: * **GitHub** tokens and **GitHub Actions** secrets * **npm**, **PyPI**, **RubyGems**, **JFrog** publishing tokens * **AWS**, **GCP**, **Azure**, **Kubernetes**, and **Vault** credentials * **SSH** keys * **Docker** credentials * `.env`, `.npmrc`, `.pypirc` files * Shell histories * **Claude/MCP** configuration files * Other developer workstation and CI/CD secrets Consistent with previous **Shai-Hulud** operations, the primary goal appears to be compromising software development workflows to facilitate further malware propagation. Data exfiltration largely mirrors past **Shai-Hulud** methods, utilizing automatically created **GitHub** repositories to host stolen secrets via **GitHub Actions**. A secondary exfiltration method employs direct HTTPS communication, pointing to a legitimate but invalid **Anthropic** API endpoint (api[.]anthropic[.]com/v1/api), which **Socket** suggests was likely used for camouflage. ### Evasion and Persistence The malware incorporates several evasion mechanisms, such as checking for Russian locales/environments and the presence of security tools like **StepSecurity Harden-Runner**. For persistence, the malware establishes itself through **systemd** services on **Linux** systems and **LaunchAgents** on **macOS**. It also leverages **GitHub** workflow and **Claude/MCP** configuration files to maintain its foothold. ### Recommendations for Defenders **Socket**'s report provides a comprehensive list of all affected packages and versions. Organizations that have installed these packages are strongly advised to: * Rotate all developer secrets immediately. * Restore affected environments from known safe backups. Defenders should also actively monitor for specific indicators of compromise, including: * **Python** packages containing executable `.pth` startup hooks. * Unexpected downloads of the **Bun** JavaScript runtime from **GitHub**. * Process chains where **Python** launches **Bun** to execute `_index.js`.