CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages. The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising […] The post New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers appeared first o

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers By Guru Baran June 9, 2026 A new wave of the Shai-Hulud supply chain campaign, adding 23 newly discovered malicious PyPI package-version artifacts to an already alarming operation that previously compromised 37 packages. The broader campaign identified by the Socket Threat Research team, tracked across the Mini Shai-Hulud, Miasma, and Hades threat clusters, now spans 471 total artifacts across npm and PyPI, comprising 411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages. Three Evolving Delivery Mechanisms What makes this wave particularly dangerous is how quickly threat actors are iterating their delivery methods. The campaign now operates through at least three distinct PyPI delivery branches: .pth startup-hook pattern — A malicious wheel bundles a *-setup.pth file alongside _index.js. The hook fires during Python startup, silently downloads the Bun JavaScript runtime, and executes the obfuscated stealer payload. Native extension import trigger — Malicious code is embedded directly inside compiled .abi3.so extensions. The Python source appears clean, but the extension executes _index.js the moment Python loads the module via dlopen() — bypassing source-only review pipelines entirely. langchain-core-mcp loader variant — The most novel technique: the wheel installs a .pth loader but ships without _index.js. Instead, it scans every entry in sys.path and one directory below each entry searching for the payload elsewhere in the Python environment, creating a split-staging architecture that can evade detection rules expecting loader and payload to coexist in the same wheel. 23 PyPI Packages Compromised The 23 new artifacts span three distinct thematic clusters designed to maximize developer exposure: Bioinformatics packages: Trojanized legitimate research tools, including embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy, and pyphetools — packages used in graph learning, patient phenotyping, and genomics workflows. MCP/AI-themed packages: langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, and ray-mcp-server — explicitly targeting developers building Model Context Protocol integrations. Typosquat packages: rsquests, tlask, and rlask — lookalikes designed to capture installs from developers working with requests, Flask, and related tooling. The _index.js payload deploys a novel LLM anti-analysis technique, embedding a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file. The comment is skipped entirely at runtime by Bun but is designed to trigger safety refusals, context pollution, and premature classification in AI-assisted triage pipelines, Socket Threat Research said. The actual malware resides after the comment block, wrapped in a try{eval(...)} call around a character-code array with a ROT-style substitution cipher. Traditional detection methods YARA rules, entropy analysis, AST parsing — remain effective against this technique. Once executed via any of the three delivery branches, the Hades-family payload aggressively harvests secrets from developer workstations and CI/CD environments: GitHub, npm, PyPI, RubyGems, and JFrog tokens Cloud credentials (AWS, Azure, GCP) and Kubernetes service account material SSH keys, Docker configurations, shell histories, and .env files AI developer tool configurations and package registry credentials Indicators of Compromise (IOCs) The following 23 newly identified malicious PyPI artifacts should be blocked or removed immediately: Package Malicious Version(s) dreamgen 1.8.1 embiggen 0.11.97 ensmallen 0.8.101 gpsea 0.9.14 instructor-mcp 1.15.2, 1.15.3 langchain-core-mcp 1.4.2, 1.4.3 mem8 6.0.1 mflux-streamlit 0.0.3, 0.0.4 openai-mcp 2.41.1, 2.41.2 orchestr8-platform 3.3.2 phenopacket-store-toolkit 0.1.7 ppkt2synergy 0.1.1 pyphetools 0.9.120 ray-mcp-server 0.2.1 rlask 3.1.7 rsquests 2.34.3 tiktoken-mcp 0.13.1, 0.13.2 tlask 3.1.4 Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News binding.gyp Supply Chain Attack Compromises Dozens of npm Packages Across Maintainer Accounts 1-Click GitHub Token Vulnerability Lets Attackers Steal Users’ OAuth Tokens UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data Microsoft MSRC Allegedly Dismissed Dependency Confusion Vulnerability, Claims Researcher New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks Latest News Cyber Security Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware Cyber Security New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Cyber Security News Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader Cyber Security News UNC3753 Attacking US Law Firms Using Vishing and RMM Tools to Exfiltrate Data
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗