Shai-Hulud Strikes: 19 Science-Focused PyPI Packages Infected by Trojan Attack

New Shai-Hulud Attack Trojanizes 19 Science-Focused PyPI Packages

Recently, hackers successfully compromised 19 packages on PyPI, a popular repository for Python packages. These compromised packages, which have been collectively downloaded hundreds of thousands of times, were part of a new supply-chain attack orchestrated by the nefarious Shai-Hulud group. The primary aim of this attack was to deliver malware capable of stealing valuable developer secrets.

Among the affected packages are several well-known bioinformatics tools, including Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH.

The alarming discovery of this new campaign was made by Socket, an application security company. They found that 37 malicious releases targeting 19 packages were attributed to a single maintainer.

According to researchers, the malicious artifacts included a file named ‘*-setup.pth’ and an obfuscated JavaScript payload labeled ‘_index.js.’

When users initiated Python, the execution of the PTH file would be triggered, which in turn attempted to download the Bun JavaScript runtime from GitHub to execute the bundled script.

Socket explained, “A compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger. The next Python, pip, test run, notebook kernel, CI job, or package-management command that starts Python may process the malicious .pth.”

Researchers believe that this attack is part of the broader “Shai-Hulud” campaign, as the malware used exhibited several similarities in techniques with previous attacks. Socket is actively monitoring this campaign alongside previous incidents, with the total number of malicious artifacts linked to Shai-Hulud activities now reaching 453.

Analysis of the JavaScript payload unveiled that it targeted a wide array of developer secrets, including GitHub tokens, npm, PyPI, RubyGems, JFrog publishing tokens, AWS, GCP, Azure, Kubernetes, and Vault credentials, SSH keys, Docker credentials, .env, .npmrc, .pypirc files, shell histories, Claude/MCP configuration files, and other developer workstation and CI/CD secrets.

Similar to past Shai-Hulud attacks, the primary objective appears to be compromising software development workflows to facilitate further propagation of the malware.

Data exfiltration is primarily executed through automatically created GitHub repositories to store secrets written via GitHub Actions. Additionally, a secondary exfiltration method based on direct HTTPS involves a legitimate but invalid Anthropic API endpoint (api[.]anthropic[.]com/v1/api), likely used for camouflage.

The malware incorporates evasion mechanisms such as checking for Russian locales/environments and security tools like StepSecurity Harden-Runner.

Persistence is established through systemd services on Linux and LaunchAgents on macOS, with the utilization of GitHub workflow and Claude/MCP configuration files.

Socket’s report details all impacted packages and versions and advises organizations that installed them to rotate all secrets and restore their environments from secure backups.

Defenders are encouraged to be vigilant for Python packages containing executable .pth startup hooks, unexpected downloads of the Bun JavaScript runtime from GitHub, and process chains where Python launches Bun to execute _index.js.