19 packages on the Python Package Index (PyPI), collectively downloaded hundreds of thousands of times, were trojanized in a supply‑chain campaign that installed malware intended to steal developer secrets, researchers say.
What Socket found: scale, artifacts, and attribution
Application security company Socket discovered the campaign and traced it to 37 malicious releases across 19 packages that appear to come from a single maintainer. Many of the infected packages are bioinformatics and science-focused tools, including Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH. Socket links the activity to the broader “Shai‑Hulud” cluster on the basis of technique overlap; the firm now tracks 453 artifacts attributed to Shai‑Hulud activities.
How the trojan worked: .pth hooks, Bun, and an obfuscated _index.js
The malicious releases bundled a ‘*-setup.pth’ file — a Python startup hook that executes automatically when Python starts — and an obfuscated JavaScript payload named ‘_index.js.’ Socket explains: “That means a compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger: the next Python, pip, test run, notebook kernel, CI job, or package‑management command that starts Python may process the malicious .pth.”
On execution, the PTH file attempted to download the Bun JavaScript runtime from GitHub and then used Bun to run the embedded _index.js payload. Socket’s analysis shows process chains in which Python launches Bun to execute the JavaScript component.
Targets and exfiltration: developer secrets and GitHub repositories
Socket’s reverse engineering of the JavaScript revealed a broad harvest of developer and CI credentials. Items targeted included:
- GitHub tokens and GitHub Actions secrets
- npm, PyPI, RubyGems, and JFrog publishing tokens
- AWS, GCP, Azure, Kubernetes, and Vault credentials
- SSH keys, Docker credentials, and shell histories
- Configuration files such as .env, .npmrc, .pypirc, and Claude/MCP files
Primary data exfiltration mirrored prior Shai‑Hulud operations: automatically created GitHub repositories were used to receive secrets via GitHub Actions. Socket also observed a secondary direct HTTPS exfiltration path pointing to an Anthropic API endpoint written as api[.]anthropic[.]com/v1/api — an endpoint Socket believes was likely used for camouflage rather than legitimate Anthropic traffic.
Persistence and evasion techniques observed
The malware implemented multiple persistence and evasion measures. On Linux, persistence was established through systemd services; on macOS, through LaunchAgents. The actor also used GitHub workflow and Claude/MCP configuration files as additional persistence mechanisms. Evasion checks included detecting Russian locales/environments and probing for security tooling such as StepSecurity Harden-Runner before taking action.
What this means for technologists, open‑source maintainers, and security teams
Socket’s report lists all affected packages and versions and recommends that organizations which installed the tainted releases rotate all secrets and restore environments from safe backups. Defenders are also given concrete signals to monitor: Python packages containing executable .pth startup hooks, unexpected downloads of the Bun runtime from GitHub, and process chains in which Python launches Bun to run _index.js.
Separately, a Picus whitepaper cited in the reporting notes detection gaps: security teams log 54% of successful attacks and alert on just 14%, highlighting how quickly supply‑chain compromises can move beyond visibility unless detection and alerting improve.
The technical facts in Socket’s analysis are clear and disquieting: a seemingly passive package install can convert into an execution trigger simply by starting Python, and the payloads are explicitly biased toward harvesting the very credentials that enable software supply‑chain propagation. Socket’s published list of affected packages and the recommendation to rotate secrets and restore from trusted backups are the direct, immediate remedies cited by the researchers.
