New Shai-Hulud attack trojanizes 19 science-focused PyPI packages

A newly identified Shai-Hulud software supply-chain campaign has compromised multiple scientific and bioinformatics packages hosted on PyPI, exposing a risk that extends far beyond individual developer workstations. By abusing Python’s startup mechanisms, the malware can execute automatically in environments where affected packages are installed, including development systems, notebook environments, and CI/CD pipelines.

The campaign highlights a persistent challenge in modern software development: trusted open-source dependencies often have access to the same repositories, cloud environments, and secrets that organizations rely on to build and deliver applications. When a compromised package gains execution within these environments, it can become an entry point for credential theft, repository compromise, cloud account abuse, and downstream supply-chain attacks.

For organizations that support research workloads, developer platforms, or Python-based automation, the incident serves as another reminder that dependency security is now a core component of enterprise security strategy, not merely a software development concern.

How the Shai-Hulud Supply-Chain Attack Works

The campaign leverages Python’s .pth startup hook mechanism, a legitimate feature that allows code to execute automatically when the Python interpreter initializes. Once a compromised package is installed, the malicious .pth file can trigger during routine Python activity, including interactive sessions, notebook launches, package-management operations, automated testing, and CI/CD workflows.

After execution, the malware attempts to download the Bun JavaScript runtime from GitHub and use it to run an obfuscated JavaScript payload named _index.js. This approach allows attackers to move much of the malicious logic outside the Python package itself, making analysis and detection more difficult while enabling rapid updates to payload behavior.

The payload is designed to harvest a broad range of credentials and sensitive artifacts commonly found on developer endpoints and build infrastructure, including:

• Source code repository credentials and access tokens
• CI/CD secrets and automation workflow data
• Cloud provider credentials across AWS, Google Cloud, and Microsoft Azure environments
• Package registry tokens used for software publishing
• SSH keys, environment files, and shell history data
• Container, Kubernetes, and secrets-management artifacts
• AI development tooling configurations, including Claude and MCP-related settings

The malware also incorporates persistence techniques intended to survive beyond the initial execution. Reported mechanisms include:

• Creation of systemd services on Linux systems
• Deployment of LaunchAgents on macOS devices
• Modification of GitHub Actions workflow files
• Alteration of Claude and MCP configuration files to maintain access and enable continued execution

From a defender’s perspective, the most significant aspect of the attack is not the malware’s complexity but its positioning. By executing inside trusted development and automation environments, the malicious package can access the same credentials, repositories, and infrastructure resources that organizations depend on to build and deploy software. This significantly increases the potential impact of a single compromised dependency.

Featured Resource

Hexnode UEM Capability Statement

Download the capability statement to get a quick glimpse into Hexnode's capabilities and features.

Get the capability statement

How Hexnode Can Help Reduce Exposure

A compromise like Shai-Hulud is difficult to detect through preventive controls alone because the malicious code executes inside trusted developer and automation environments. Organizations need visibility into suspicious behavior after package installation, as well as the ability to quickly investigate and contain affected endpoints.

Hexnode XDR can help security teams identify and investigate indicators associated with this type of attack, including:

• Unusual Python process activity originating from development or research environments
• Unexpected execution of secondary runtimes or tools, such as Bun
• Suspicious credential-access behavior targeting local files, tokens, or configuration stores
• Attempts to establish persistence on managed endpoints
• Abnormal outbound connections and potential data exfiltration activity
• Process, file, and network events that may indicate post-compromise activity

By correlating endpoint telemetry across managed devices, security teams can gain greater visibility into potentially malicious behavior and accelerate incident investigation and response workflows.

On the device management side, Hexnode UEM can help strengthen the security posture of developer and research workstations through centralized endpoint governance. Key controls include:

• Enforcing device compliance and security policies
• Maintaining patch and update compliance across supported endpoints
• Applying and monitoring full-disk encryption policies
• Managing approved applications and endpoint configurations
• Performing remote actions and remediation tasks from a centralized console
• Supporting endpoint management across Windows, macOS, and Linux environments

These capabilities help reduce the attack surface of developer systems and improve an organization’s ability to respond quickly when a software supply-chain incident affects managed endpoints.

Conclusion

The Shai-Hulud campaign underscores how software supply-chain risk extends beyond traditional enterprise applications. Open-source packages used in research, development, data science, and automation workflows often operate in environments that contain highly privileged credentials, making them attractive targets for attackers.

The incident also demonstrates how a single compromised dependency can create opportunities for credential theft, repository compromise, cloud environment exposure, and downstream operational risk. As organizations continue to rely on open-source ecosystems, securing the software supply chain must remain a shared responsibility across security, platform engineering, and development teams.

To reduce exposure, organizations should prioritize:

• Dependency governance and package-source monitoring
• Continuous endpoint visibility and threat detection
• Rapid credential and secret rotation following suspected compromise
• Hardened developer and research workstations
• Strong controls around CI/CD pipelines and cloud access credentials

For security leaders, the lesson is clear: protecting enterprise assets now requires the same level of scrutiny for third-party dependencies as it does for endpoints, identities, and cloud infrastructure.