New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP

A new wave of the Shai-Hulud supply chain campaign has significantly expanded its reach, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages.

The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising 411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages.

Three Evolving Delivery Mechanisms

What makes this wave particularly dangerous is how quickly threat actors are iterating their delivery methods. The campaign now operates through at least three distinct PyPI delivery branches:

• .pth startup-hook pattern — A malicious wheel bundles a *-setup.pth file alongside _index.js. The hook fires during Python startup, silently downloads the Bun JavaScript runtime, and executes the obfuscated stealer payload.
• Native extension import trigger — Malicious code is embedded directly inside compiled .abi3.so extensions. The Python source appears clean, but the extension executes _index.js the moment Python loads the module via dlopen() — bypassing source-only review pipelines entirely.
• langchain-core-mcp loader variant — The most novel technique: the wheel installs a .pth loader but ships without _index.js. Instead, it scans every entry in sys.path and one directory below each entry searching for the payload elsewhere in the Python environment, creating a split-staging architecture that can evade detection rules expecting loader and payload to coexist in the same wheel.

23 PyPI Packages Compromised

The 23 new artifacts span three distinct thematic clusters designed to maximize developer exposure:

• Bioinformatics packages: Trojanized legitimate research tools, including embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy, and pyphetools — packages used in graph learning, patient phenotyping, and genomics workflows.
• MCP/AI-themed packages: langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, and ray-mcp-server — explicitly targeting developers building Model Context Protocol integrations.
• Typosquat packages: rsquests, tlask, and rlask — lookalikes designed to capture installs from developers working with requests, Flask, and related tooling.

The _index.js payload deploys a novel LLM anti-analysis technique, embedding a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file.

The comment is skipped entirely at runtime by Bun but is designed to trigger safety refusals, context pollution, and premature classification in AI-assisted triage pipelines, Socket Threat Research said.

The actual malware resides after the comment block, wrapped in a try{eval(...)} call around a character-code array with a ROT-style substitution cipher. Traditional detection methods YARA rules, entropy analysis, AST parsing — remain effective against this technique.

Once executed via any of the three delivery branches, the Hades-family payload aggressively harvests secrets from developer workstations and CI/CD environments:

• GitHub, npm, PyPI, RubyGems, and JFrog tokens
• Cloud credentials (AWS, Azure, GCP) and Kubernetes service account material
• SSH keys, Docker configurations, shell histories, and .env files
• AI developer tool configurations and package registry credentials

Indicators of Compromise (IOCs)

The following 23 newly identified malicious PyPI artifacts should be blocked or removed immediately:

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.