Socket Threat Research identified 23 new PyPI artifacts tied to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks, bringing the tracker to 471 affected artifacts across npm and PyPI. The new wave changes delivery methods with malicious .pth hooks, trojanized .abi3.so extensions, and a langchain-core-mcp loader that searches sys.path for _index.js while the payload steals developer and CI/CD secrets after running through Bun. #MiniShaiHulud #Miasma #Hades #langchaincoremcp #embiggen #ensmallen #gpsea #pyphetools
Keypoints
- Socket added 23 newly identified PyPI package-version artifacts to the Mini Shai-Hulud/Miasma campaign tracker.
- The tracker now covers 471 affected artifacts across npm and PyPI, including 411 npm artifacts and 60 PyPI artifacts.
- The new PyPI wave includes malicious bioinformatics packages, AI/MCP-themed packages, and typosquat-style packages such as rsquests, tlask, and rlask.
- Threat actors are changing delivery mechanisms by using .pth startup hooks, trojanized native .abi3.so extensions, and loader/payload separation.
- The payload is a heavily obfuscated JavaScript stealer staged through Bun and used to collect secrets from developer workstations and CI/CD environments.
- The campaign targets high-value credentials and materials such as GitHub, npm, PyPI, cloud credentials, Kubernetes service accounts, SSH keys, Docker config, and .env files.
- The langchain-core-mcp variant searches sys.path for _index.js instead of bundling it directly, which may evade scanners expecting the payload inside the same wheel.
MITRE Techniques
- [T1574.001 ] Hijack Execution Flow: DLL Search Order Hijacking – The malicious package logic abuses Python startup and import behavior to launch code during execution (‘uses .pth startup hooks’ and ‘the malicious execution path is inside a compiled .abi3.so extension’).
- [T1059.006 ] Command and Scripting Interpreter: JavaScript – The payload is a JavaScript stealer executed with Bun (‘runs it with Bun’ and ‘staged through Bun’).
- [T1204.002 ] User Execution: Malicious File – Package installation/import triggers the payload when the victim uses the package (‘executes _index.js as a side effect of module initialization’ and ‘when Python imports the module’).
- [T1018 ] Remote System Discovery – The loader scans Python paths to locate the payload (‘searches sys.path for _index.js’ and ‘searching broad import paths for a JavaScript file’).
- [T1105 ] Ingress Tool Transfer – The malware downloads Bun into a temp directory before execution (‘Download Bun into the temp directory if absent’).
- [T1027 ] Obfuscated Files or Information – The JavaScript payload is heavily obfuscated and uses character-code arrays and substitution (‘a heavily obfuscated JavaScript stealer’ and ‘a large character-code array and a ROT-style substitution function’).
- [T1036 ] Masquerading – The campaign uses lookalike and bait packages to blend in with legitimate ecosystems (‘typosquat-style packages’ and ‘malicious versions of established research-community packages’).
- [T1566 ] Phishing – The fake prompt-injection header is intended to mislead analysis systems (‘a fake prompt-injection header placed at the top of _index.js’).
Indicators of Compromise
- [Malicious PyPI package versions ] Affected PyPI artifacts in the newer wave – [email protected], [email protected], and 21 more packages/versions
- [Malicious wheel files ] Affected wheel artifacts referenced in the report – langchain_core_mcp-1.4.2-py3-none-any.whl, langchain_core_mcp-1.4.3-py3-none-any.whl
- [Startup hook file ] Malicious Python startup hook used by langchain-core-mcp – langchain_core-setup.pth, langchain_core_mcp-setup.pth
- [Compiled native extensions ] Trojanzied import-time execution components in bioinformatics packages – ensmallen_haswell.abi3.so, ensmallen_core2.abi3.so
- [Payload file name ] JavaScript payload searched for or executed by the loader – _index.js, and 2 more delivery-related variants
- [Hashes ] Newly analyzed artifact hashes – SHA256 6d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9, SHA256 6506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2
- [Suspicious paths and strings ] Delivery and propagation indicators – /tmp/.sshu-setup.js, /var/run/docker.sock, thebeautifulmarchoftime, thebeautifulsnadsoftime
- [Host and telemetry indicators ] StepSecurity-related targets reportedly blocked by the malware – agent.stepsecurity.io, api.stepsecurity.io, app.stepsecurity.io