Full Report
Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets. [...]
Analysis Summary
# Tool/Technique: Shai-Hulud (PyPI Supply-Chain Attack)
## Overview
Shai-Hulud is a sophisticated supply-chain attack campaign targeting developers through compromised package repositories (originally npm, now PyPI). The attack trojanizes legitimate packages—frequently science and bioinformatics tools—to deploy a secret-stealing malware designed to exfiltrate credentials, cloud keys, and CI/CD tokens.
## Technical Details
- **Type:** Malware / Supply-Chain Attack
- **Platform:** Linux, macOS, Python environments
- **Capabilities:** Credential harvesting, persistence establishment, EDR evasion, automated data exfiltration.
- **First Seen:** June 2026 (current wave identified; campaign has historical roots in earlier npm waves).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromise Software Dependencies]
- **[TA0003 - Persistence]**
- [T1543.002 - Create or Modify System Process: Systemd Service]
- [T1543.001 - Create or Modify System Process: Launch Agent]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- [T1497.001 - Virtualization/Sandbox Evasion: System Checks] (Locale and security tool checks)
- **[TA0006 - Credential Access]**
- [T1552 - Unsecured Credentials]
- [T1555 - Credentials from Password Stores]
- **[TA0010 - Exfiltration]**
- [T1567.002 - Exfiltration Over Web Service: Exfiltration to Code Repository]
## Functionality
### Core Capabilities
- **Delayed Execution Hook:** Utilizes `*-setup.pth` files in Python packages. These act as "startup hooks," triggering the malware the next time Python or a related command (like `pip` or a Jupyter kernel) is initialized.
- **Runtime Sourcing:** Downloads and executes the **Bun** JavaScript runtime from GitHub to run the primary malicious logic contained in an obfuscated `_index.js` file.
- **Mass Secret Harvesting:** Specifically targets developer-centric secrets including:
- Cloud providers (AWS, GCP, Azure, Kubernetes, Vault).
- Package managers (npm, PyPI, RubyGems, JFrog).
- Version control and SSH (GitHub tokens, SSH keys, `.pypirc`).
- Local histories and configs (Shell history, Docker credentials, `.env`, Claude/MCP configs).
### Advanced Features
- **Evasion Logic:** Checks for Russian locales/environments to avoid targeting specific regions and scans for the presence of security tools like *StepSecurity Harden-Runner*.
- **Camouflaged Exfiltration:** Uses direct HTTPS requests to a legitimate but invalid Anthropic API endpoint (`api[.]anthropic[.]com/v1/api`) to blend in with normal AI-related developer traffic.
- **Automated Repository Exfiltration:** Creates private GitHub repositories to host stolen secrets, exfiltrating data via GitHub Actions to bypass traditional network egress monitoring.
## Indicators of Compromise
- **File Names:**
- `*-setup.pth` (within Python site-packages)
- `_index.js` (JavaScript payload)
- **Network Indicators:**
- `api[.]anthropic[.]com/v1/api` (Defanged - utilized for camouflage)
- Downloads initiated from `github[.]com` specifically for the Bun runtime.
- **Behavioral Indicators:**
- Python process spawning a Bun runtime process.
- Creation of unexpected `systemd` services or macOS `LaunchAgents`.
- Unexpected outbound connections to GitHub API for repository creation.
## Associated Threat Actors
- **Tracking Name:** Shai-Hulud / Miasma
## Detection Methods
- **Signature-based:** Scan Python environment directories for unexpected `.pth` files containing executable code.
- **Behavioral:** Monitor for `python` or `pip` processes initiating network connections to download binary executables (like Bun) or spawning non-standard runtimes.
- **Filesystem Monitoring:** Alert on the creation of new persistent services in `/etc/systemd/system/` or `~/Library/LaunchAgents`.
## Mitigation Strategies
- **Secret Rotation:** Immediately rotate all cloud, VCS, and publishing tokens if a compromised package is identified in the environment.
- **Dependency Pinning:** Use `hash-checking` mode in `pip` to ensure package integrity.
- **Network Segmentation:** Restrict CI/CD runners from making arbitrary outbound requests to GitHub or cloud APIs unless explicitly required.
- **Environment Auditing:** Regularly audit Python `site-packages` for the presence of unauthorized `.pth` startup scripts.
## Related Tools/Techniques
- **Miasma:** A closely related or sub-set of the Shai-Hulud campaign targeting npm.
- **Typosquatting/Account Takeover:** Common methods used by this actor to compromise the 19 targeted PyPI packages.