Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets.
Many of the infected packages are popular bioinformatics tools such as Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH.
The new campaign was discovered by application security company Socket and extended to 37 malicious releases for 19 packages that appear to be from a single maintainer.
The researchers say that the malicious artifacts included a ‘*-setup.pth' file and an obfuscated JavaScript payload named ‘_index.js.’
Users would just have to start Python to trigger the execution of the PTH file, which then tries to download the Bun JavaScript runtime from GitHub to run the bundled script.
“That means a compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger: the next Python, pip, test run, notebook kernel, CI job, or package-management command that starts Python may process the malicious .pth,”
Socket explains.
The researchers believe that the attack is part of the broader
“Shai-Hulud” campaign, due to the malware exhibiting several similarities in the techniques used.
Because of this, Socket is tracking it alongside previous attacks, with the list of malicious artifacts attributed to Shai-Hulud activities now showing
453 items.
An analysis of the JavaScript payload revealed that it targeted a broad range of developer secrets that included the following:
- GitHub tokens and GitHub Actions secrets
- npm, PyPI, RubyGems, JFrog publishing tokens
- AWS, GCP, Azure, Kubernetes, and Vault credentials
- SSH keys
- Docker credentials
- .env, .npmrc, .pypirc
- Shell histories
- Claude/MCP configuration files
- Other developer workstation and CI/CD secrets
As with other Shai-Hulud attacks, the goal appears to be compromising software development workflows to further propagate the malware.
The primary data exfiltration method is similar to past Shai-Hulud operations, using automatically created GitHub repositories to host secrets written via GitHub Actions.
A second exfiltration method based on direct HTTPS also exists, pointing to a legitimate but invalid Anthropic API endpoint (api[.]anthropic[.]com/v1/api), which Socket believes was likely used for camouflage.
The malware also features some evasion mechanisms, such as checking for Russian locales/environments, and security tools such as StepSecurity Harden-Runner.
Persistence is established through systemd services on Linux and LaunchAgents on macOS, while GitHub workflow and Claude/MCP configuration files are also used.
Socket’s report lists all affected packages and versions and recommends that organizations that installed them rotate all secrets and restore their environments from safe backups.
Defenders should look for Python packages containing executable .pth startup hooks, unexpected downloads of the Bun JavaScript runtime from GitHub, and process chains where Python launches Bun to execute _index.js.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Get the whitepaper
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
