Shai-Hulud Copycat Campaign Targets Python Developers Through PyPI Typosquatting

Supply‑chain attacks have migrated from JavaScript’s npm registry to Python’s PyPI, reflecting attackers’ willingness to chase the most widely used development ecosystems. The recent Shai‑Hulud copycat leverages a familiar credential‑stealing worm originally released for npm, but adapts its delivery to Python’s .pth file mechanism. By publishing clean “probe” versions that match legitimate release numbers, the threat actor evaded initial detection before injecting malicious payloads that automatically execute during package installation, without any import or function call.

Technically, the malicious wheels drop a .pth file that runs a one‑liner Python script, which fetches the Bun JavaScript runtime and executes a heavily obfuscated payload. The payload is encrypted with AES‑128‑GCM, layered with ROT‑N ciphers, and ultimately runs a 5 MB JavaScript credential stealer. Once active, it harvests tokens and keys from GitHub Actions, AWS, Azure, GCP, HashiCorp Vault, and other services, then uses those credentials to commit malicious workflow files, poison AI assistants, and publish additional poisoned packages across multiple registries. This self‑propagation turns a single compromised build into a multi‑vector infection chain.

For enterprises, the incident underscores the need for proactive dependency hygiene and runtime monitoring. Enabling GitLab’s Dependency Scanning can surface vulnerable packages early, while continuous credential rotation and least‑privilege CI configurations limit the worm’s impact. Organizations should audit installed Python packages, remove any of the five identified modules, and scan for the .bun_ran marker. The broader lesson is clear: as supply‑chain threats evolve, security teams must treat package registries as critical attack surfaces and adopt automated tooling to detect and remediate malicious dependencies promptly.