Hackers compromised 19 PyPI packages in a new Shai-Hulud supply-chain attack that used malicious startup hooks to steal developer secrets from infected systems. The campaign targeted popular bioinformatics tools and exfiltrated credentials through GitHub repositories and HTTPS, while also adding persistence and evasion techniques. #ShaiHulud #PyPI #Dynamo #Spateo #CoolBox #UFISH #NapariUFISH
Keypoints
- 19 PyPI packages were compromised in a Shai-Hulud supply-chain attack.
- The infected releases included popular bioinformatics tools like Dynamo, Spateo, and CoolBox.
- Malicious files used a .pth hook and an obfuscated _index.js payload to trigger execution.
- The malware stole developer secrets such as GitHub tokens, cloud credentials, SSH keys, and CI/CD data.
- Defenders should rotate exposed secrets and hunt for Bun downloads and Python-to-Bun execution chains.