New Shai-Hulud Attack Trojanizes 19 Science-Focused PyPI Packages

Supply‑chain attacks have long haunted open‑source ecosystems, but the latest Shai‑Hulud campaign raises the stakes for the Python community. PyPI, the default repository for over 300,000 packages, powers everything from academic research to enterprise data pipelines. By injecting a malicious *.pth file—a rarely scrutinized startup hook—attackers can execute code the moment Python is invoked, effectively turning a harmless dependency install into a covert dropper. The use of Bun, a lightweight JavaScript runtime, allows the payload to run cross‑platform scripts without raising typical Python‑specific alarms, widening the attack surface beyond traditional Python malware.

Technical analysis reveals a multi‑stage operation. The compromised wheel first pulls Bun from GitHub, then runs an obfuscated _index.js script that enumerates a broad spectrum of secrets: GitHub and Actions tokens, cloud provider keys (AWS, GCP, Azure), Docker credentials, SSH keys, and even local .env files. Exfiltration occurs via automatically created GitHub repositories—leveraging the platform’s trusted status—or through a camouflaged HTTPS call to an Anthropic API endpoint. Evasion tactics include locale checks for Russian environments and detection of security tools like StepSecurity Harden‑Runner, while persistence is cemented via systemd services on Linux and LaunchAgents on macOS, ensuring the malware survives reboots and container restarts.

For organizations, the breach translates to immediate credential rotation, audit of all affected packages, and restoration from verified backups. More broadly, the incident highlights the fragility of trusting third‑party packages without rigorous provenance checks. Developers should adopt reproducible builds, enforce signed releases, and monitor for unexpected .pth files or external runtime downloads. Security teams must integrate supply‑chain scanning into CI/CD pipelines and treat package integrity as a critical control point, lest similar attacks compromise the very foundations of modern software development.