The Shai-Hulud Campaign Returns: Bioinformatics Under Attack
Here's the thing about supply-chain attacks: they work because we trust the packages we install. You're sitting there, running pip install dynamo for your single-cell RNA sequencing analysis, and suddenly you've got a backdoor in your environment. That's exactly what happened when hackers compromised 19 science-focused PyPI packages as part of the ongoing Shai-Hulud campaign.
The attack, discovered by application security firm Socket, hit packages that researchers and bioinformaticians actually use. We're talking Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH here — tools that power real research. These 19 packages accumulated hundreds of thousands of downloads before anyone noticed something was off. And they're spread across 37 malicious releases, all apparently coming from a single maintainer account.
What makes this particularly nasty is the timing. Researchers downloading these packages are often working with sensitive data — patient information, proprietary research, institutional credentials. You don't want malware in that environment.
How the Poisoning Actually Works
The technical implementation is clever, I'll give attackers that much. Each compromised package ships with a *-setup.pth file and an obfuscated JavaScript payload called _index.js. Here's where it gets interesting: you don't even need to run the package itself. Just starting Python triggers execution of that .pth file.
Socket puts it perfectly: "A compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger: the next Python, pip, test run, notebook kernel, CI job, or package-management command that starts Python may process the malicious .pth."
Translation? Every time you touch Python on that machine, the malware wakes up. Your notebook kernel? Triggered. A CI job running tests? Triggered. Even just checking what packages you have installed could set it off.
The payload then reaches out to GitHub to download the Bun JavaScript runtime, which executes the bundled script. It's using obfuscation to dodge automated scanning tools, and the code hides in conditional branches that only activate under specific runtime conditions.
What They're After: Your Entire Secret Stash
The JavaScript payload casts a wide net when it comes to stealing secrets. We're not just talking about one or two credentials here. The malware targets:
- GitHub tokens and GitHub Actions secrets — the keys to your source code and CI/CD pipelines
- npm, PyPI, RubyGems, and JFrog publishing tokens — if you publish packages, your publishing credentials are on the hit list
- AWS, GCP, Azure, Kubernetes, and Vault credentials — cloud infrastructure access goes straight to them
- SSH keys and Docker credentials for container and server access
- The
.env,.npmrc, and.pypircfiles that store configuration secrets - Shell histories that might contain commands with embedded credentials
- Even Claude and MCP configuration files, which is honestly kind of impressive in its specificity
The exfiltration method mirrors what we've seen in previous Shai-Hulud operations: automatically created GitHub repositories host the stolen secrets, written via GitHub Actions. There's also a secondary channel using direct HTTPS to what looks like a legitimate Anthropic API endpoint (api[.]anthropic[.]com/v1/api), which Socket suspects was chosen specifically for camouflage.
This isn't the first time the Shai-Hulud campaign has targeted developers. Similar attacks have hit Red Hat npm packages and Microsoft packages with Miasma malware. The pattern is becoming all too familiar: compromised packages in popular repositories, credential harvesting, and sophisticated evasion techniques.
Evasion Tactics That Make This Hard to Catch
The malware has some nasty tricks up its sleeve. It checks for Russian locales and environments before executing, which suggests the attackers are trying to avoid detection in certain regions. It also detects security tools like StepSecurity Harden-Runner and skips execution if it's present.
Persistence is established through systemd services on Linux, LaunchAgents on macOS, and even GitHub workflow files and Claude/MCP configuration files. So once it gets in, it doesn't just stay in your Python environment — it spreads to your system level and the CI/CD pipelines.
This is the part that keeps me up at night. The goal here isn't just to steal secrets from one machine. It's to compromise software development workflows so the malware can propagate further. Teams using CI/CD pipelines and shared development environments are sitting ducks.
What You Need to Do Right Now
If your organization installed any of the affected packages, Socket's recommendation is straightforward: rotate all secrets and restore environments from safe backups. Don't try to clean the infection — just nuke it and start fresh.
For everyone else, here's what to watch for:
- Python packages containing executable
.pthstartup hooks — that's your first red flag - Unexpected downloads of the Bun JavaScript runtime from GitHub during package installation
- Process chains where Python launches Bun to execute
_index.js - Anomalous outbound HTTPS connections to unknown endpoints
- New GitHub repositories created by CI/CD workflows that you didn't authorize
The broader Shai-Hulud campaign, named after the giant sandworm from Frank Herbert's Dune, now shows 453 malicious artifacts in Socket's tracking. This isn't an isolated incident — it's part of a sustained campaign targeting the Python ecosystem, and science packages are just the latest target.
The takeaway? Trust nothing. Verify everything. And for the love of all that's holy, pin your dependencies and audit what actually gets installed in your environments.