In brief: Nineteen Python packages with millions of downloads were infected by Shai-Hulud malware to steal developer tokens, cloud credentials, and SSH keys.
Security firm Socket has documented a new wave of Shai-Hulud supply chain attacks: 19 legitimate Python packages on PyPI have been infected with malware, including popular bioinformatics tools such as Napari-UFISH and Spateo. The 37 malicious releases targeted the theft of developer data and credentials.
Socket identified a new attack campaign within the ongoing Shai-Hulud attack series: 19 legitimate software packages on the official Python platform PyPI have been compromised, with a total of 37 malicious releases originating from a single package maintainer. The affected packages have been downloaded together several hundred thousand times. A large portion of the infected files consists of popular tools from bioinformatics, including Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH.
The malware employs a two-stage execution mechanism: the attackers embed a crafted .pth file as well as an obfuscated JavaScript component named index.js in the installation archive. When the Python runtime environment starts, the system automatically processes the .pth file. This file downloads the JavaScript runtime environment Bun from GitHub in the background and executes the actual malware routine. As a result, the malware remains dormant after installation until a regular development step occurs – such as the next invocation of Python, pip, test runs, notebook kernels, CI jobs, or package management commands.
The JavaScript component systematically searches infected systems for sensitive secrets: GitHub tokens and GitHub Actions secrets, authentication tokens for npm, PyPI, RubyGems, and JFrog, credentials for AWS, GCP, Azure, Kubernetes, and Vault, SSH keys and Docker configurations, environment variables from .env, .npmrc, and .pypirc files, as well as command histories and configurations for AI development tools such as Claude or the Model Context Protocol.
The stolen data is transmitted to the attackers via two channels: primarily through automatic GitHub repositories and GitHub Actions, secondarily via direct HTTPS connections, disguised as Anthropic API endpoints. The program first checks whether Russian system environments are present or security tools such as StepSecurity Harden-Runner are active. For persistence, the malware uses systemd services on Linux and LaunchAgents on macOS.
Socket recommends affected organizations revoke all potentially exposed secrets immediately and restore system-specific environments from clean backups.
Source: www.it-daily.net · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.