Hackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets.
Many of the infected packages are popular bioinformatics tools such as Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH.
The new campaign was discovered by application security company Socket and extended to 37 malicious releases for 19 packages that appear to be from a single maintainer.
The researchers say that the malicious artifacts included a ‘*-setup.pth' file and an obfuscated JavaScript payload named ‘_index.js.’
Users would just have to start Python to trigger the execution of the PTH file, which then tries to download the Bun JavaScript runtime from GitHub to run the bundled script.
