New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers
Cybersecurity NewsArchived Jun 09, 2026✓ Full text saved
A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages. The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising […] The post New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers appeared first o
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security
New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers
By Guru Baran
June 9, 2026
A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages.
The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising 411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages.
Three Evolving Delivery Mechanisms
What makes this wave particularly dangerous is how quickly threat actors are iterating their delivery methods. The campaign now operates through at least three distinct PyPI delivery branches:
.pth startup-hook pattern — A malicious wheel bundles a *-setup.pth file alongside _index.js. The hook fires during Python startup, silently downloads the Bun JavaScript runtime, and executes the obfuscated stealer payload.
Native extension import trigger — Malicious code is embedded directly inside compiled .abi3.so extensions. The Python source appears clean, but the extension executes _index.js the moment Python loads the module via dlopen() — bypassing source-only review pipelines entirely.
langchain-core-mcp loader variant — The most novel technique: the wheel installs a .pth loader but ships without _index.js. Instead, it scans every entry in sys.path and one directory below each entry searching for the payload elsewhere in the Python environment, creating a split-staging architecture that can evade detection rules expecting loader and payload to coexist in the same wheel.
23 PyPI Packages Compromised
The 23 new artifacts span three distinct thematic clusters designed to maximize developer exposure:
Bioinformatics packages: Trojanized legitimate research tools, including embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy, and pyphetools — packages used in graph learning, patient phenotyping, and genomics workflows.
MCP/AI-themed packages: langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, and ray-mcp-server — explicitly targeting developers building Model Context Protocol integrations.
Typosquat packages: rsquests, tlask, and rlask — lookalikes designed to capture installs from developers working with requests, Flask, and related tooling.
The _index.js payload deploys a novel LLM anti-analysis technique, embedding a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file.
The comment is skipped entirely at runtime by Bun but is designed to trigger safety refusals, context pollution, and premature classification in AI-assisted triage pipelines, Socket Threat Research said.
The actual malware resides after the comment block, wrapped in a try{eval(...)} call around a character-code array with a ROT-style substitution cipher. Traditional detection methods YARA rules, entropy analysis, AST parsing — remain effective against this technique.
Once executed via any of the three delivery branches, the Hades-family payload aggressively harvests secrets from developer workstations and CI/CD environments:
GitHub, npm, PyPI, RubyGems, and JFrog tokens
Cloud credentials (AWS, Azure, GCP) and Kubernetes service account material
SSH keys, Docker configurations, shell histories, and .env files
AI developer tool configurations and package registry credentials
Indicators of Compromise (IOCs)
The following 23 newly identified malicious PyPI artifacts should be blocked or removed immediately:
Package Malicious Version(s)
dreamgen 1.8.1
embiggen 0.11.97
ensmallen 0.8.101
gpsea 0.9.14
instructor-mcp 1.15.2, 1.15.3
langchain-core-mcp 1.4.2, 1.4.3
mem8 6.0.1
mflux-streamlit 0.0.3, 0.0.4
openai-mcp 2.41.1, 2.41.2
orchestr8-platform 3.3.2
phenopacket-store-toolkit 0.1.7
ppkt2synergy 0.1.1
pyphetools 0.9.120
ray-mcp-server 0.2.1
rlask 3.1.7
rsquests 2.34.3
tiktoken-mcp 0.13.1, 0.13.2
tlask 3.1.4
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts
1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher
New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks
Latest News
Cyber Security
Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware
Cyber Security
New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root
Cyber Security News
New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords
Cyber Security News
Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
Cyber Security News
UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data