The latest wave adds 23 malicious PyPI package-version artefacts to an operation already linked to Mini Shai-Hulud, Miasma and Hades activity. The broader campaign now spans hundreds of npm and PyPI artefacts, with security tracking indicating 471 affected artefacts across the two ecosystems, including 411 npm artefacts across 106 packages and 60 PyPI artefacts across 37 packages. The expansion shows that attackers are no longer relying on a single infection path, but are adapting delivery methods to reach developers, machine-learning teams, bioinformatics users and organisations building tools around model context protocol workflows.
PyPI is widely used by Python developers to distribute and install software libraries. Its trust model depends heavily on package maintainers, version integrity and developer judgement. That makes it an attractive target for supply-chain attackers seeking access not just to individual machines, but to the credentials and automation tokens that allow code to be published, deployed or integrated into production systems.
The Shai-Hulud-linked activity is notable for its cross-ecosystem behaviour. Earlier waves targeted npm, the JavaScript package registry, before moving into PyPI and other developer repositories. The latest PyPI infections include techniques designed to run silently during installation or Python start-up, allowing malicious code to execute before a developer notices anything unusual. Some poisoned wheels abuse Python startup hooks by bundling. pth files that trigger execution automatically, while others use native extension or loader-based approaches to start a credential-stealing payload.
A key feature of the campaign is its use of Bun, a JavaScript runtime, as an execution engine. Instead of assuming that Node. js or another local runtime is available, the malware can download Bun and use it to run heavily obfuscated JavaScript payloads. That cross-runtime design makes detection more difficult because defenders watching only Python execution paths may miss the transition into JavaScript-based behaviour.
Once executed, the malware attempts to harvest sensitive material from developer environments, including GitHub tokens, package registry credentials, cloud keys, SSH material, API keys and CI/CD secrets. Those credentials can allow attackers to publish further poisoned packages, access private repositories, alter build pipelines or exfiltrate code and configuration files. The worm-like logic gives the operation the potential to move from one compromised developer workstation into wider organisational infrastructure.
The latest activity also shows evidence of branding and marker changes across variants. The Hades naming convention has appeared in exfiltration markers and repository descriptions, while Miasma activity has been linked to broader Shai-Hulud-style tradecraft. Although attribution remains uncertain, some earlier Mini Shai-Hulud waves have been associated by security vendors with TeamPCP, a financially motivated threat actor that emerged in late 2025 and has been linked to attacks exploiting developer infrastructure.
The campaign builds on a sequence of attacks that unfolded through April, May and June 2026. PyPI package lightning versions 2.6.2 and 2.6.3 were identified as malicious on April 30 and quarantined the same day. The package is heavily used by AI and machine-learning developers, with roughly 8 million monthly downloads, magnifying potential exposure for teams that imported affected versions before removal. Other waves affected well-known developer projects including TanStack, Mistral AI, UiPath, OpenSearch and Guardrails AI.
The May phase of the campaign showed larger-scale npm compromise, with more than 170 packages affected and hundreds of millions of monthly package downloads connected to impacted projects. Known PyPI artefacts in that phase included mistralai version 2.4.6 and guardrails-ai version 0.10.1, both linked to payloads designed to steal development secrets and potentially enable lateral movement. Malicious packages were uploaded in waves on April 29 and May 11, before further PyPI discoveries emerged in June.
For organisations, the risk is greater than ordinary endpoint malware because package installation often happens inside trusted build, testing and deployment environments. A poisoned dependency installed during automated CI/CD runs may gain access to secrets with broad privileges. Developer laptops may also hold long-lived tokens, cloud credentials and SSH keys, creating a path from a single package install to repository takeover or unauthorised software release.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
