Shai-Hulud Returns: When Just One pip install Command Can Steal All Your Secrets
Overview of the campaign
June 2026 marked a concerning escalation of the malware supply chain campaign named Shai-Hulud, as new variants expanded from the Node.js ecosystem to Python, directly affecting over 100 packages on the world's two largest software repositories, npm and PyPI. Initially appearing at the end of 2025 as malware specialized in stealing secrets in software development environments, Shai-Hulud quickly evolved into a worm capable of self-propagation through compromised open-source packages. After the source code of the Mini Shai-Hulud variant was made public by TeamPCP in May 2026, several other attack groups swiftly created new versions named Miasma and Hades.
These campaigns have infected over 100 packages across various fields, including those used in enterprise environments, DevOps tools, bioinformatics libraries, AI tooling, and even packages related to the Red Hat ecosystem. The primary goal of the malware is to collect GitHub Personal Access Tokens (PAT), cloud credentials (AWS, Azure, GCP), SSH keys, CI/CD secrets, Docker configurations, and settings related to AI coding assistants like Cursor, Claude Code, or GitHub Copilot.
Event Timeline
| Event Timeline | Event |
|---|---|
| Sep 2025 | Shai-Hulud was first discovered on npm as malware designed to steal secrets. |
| Q1 2026 | Some components of the campaign involved compromising the Trivy vulnerability scanner. |
| Mid-May 2026 | TeamPCP publicly released the source code for Mini Shai-Hulud. |
| Cuối May 2026 | Clone variants began appearing on GitHub. |
| 01/06/2026 | Red Hat confirmed 32 npm packages were infected with malware. |
| 01–05/06/2026 | The first Wave Miasma appeared, affecting over 57 npm packages with more than 300 malicious versions. |
| 07/06/2026 | Socket detected Hades Wave 1 on PyPI, affecting 19 packages and 37 malicious wheels. |
| 08/06/2026 | Hades Wave 2 appeared with over 29 new packages, focusing on bioinformatics and the MCP ecosystem. |
| 09/06/2026 | SecurityWeek reported a total of 471 malicious artifacts related to the campaign. |
| Currently | The spread of the activity is still being monitored. |
List of affected packages
Miasma Mini Shai-Hulud Supply Chain Attack - Socket
Main attack chain
What sets Shai-Hulud apart as one of the most notable supply chain campaigns of 2026 is its ability to combine credential theft, self-propagation to other packages, and exploitation of the victim's own software development infrastructure to scale the attack. Unlike traditional typosquatting campaigns that rely on tricking users into installing fake packages, Shai-Hulud directly targets compromised legitimate packages or stolen maintainer accounts.
Phase 1: Trojanized Package
The first step of the campaign is to insert malicious code into legitimate packages. In many cases, the attacker doesn't create fake packages but exploits access to a maintainer's account or the software release process to insert a payload into a new version of the package. When users execute: npm install or pip install , they believe they are installing missing packages, but instead, they have installed a legitimate package that has been supplemented with malicious components. This makes detection significantly more difficult because the package name, metadata, and main functionality of the library remain completely normal.
Phase 2A: Miasma – Activation Through Node.js Build Process
For the Miasma variant on npm, the malware exploits the build mechanism of Node.js native modules to execute the payload during the package installation process.
The file binding.gyp is designed to trigger the build process through node-gyp. When the build process occurs, the malware is executed without requiring any additional action from the user. This technique is particularly effective because developers often view the build dependency process as normal behavior and rarely monitor the details of what happens during the package installation phase.
Phase 2B: Hades – Exploitation of Python Startup Hook
Meanwhile, the Hades variant on PyPI uses a much more sophisticated technique through Python's .pth mechanism. After the package is installed, the malware drops a file named: -setup.pth into the site-packages directory.
Unlike regular Python files, every .pth file is automatically processed by the Python interpreter during startup. This means the malware can be executed as soon as the user opens Python or any application that uses Python. To better understand, we can view the infection chain as follows:
This is one of the most dangerous techniques recorded in the Hades campaign because the malware doesn't need to be imported or called directly. As soon as a Python process starts, the payload can be activated.
Phase 3: Payload Download and Execution
Once activated, Hades will download Bun Runtime from GitHub.
The choice of Bun instead of Node.js indicates that the threat actor is aiming for the ability to reuse source code across different platforms. The main payload is written in JavaScript and stored in the file _index.js with multiple layers of obfuscation to avoid detection.
These components are responsible for:
Collecting system information
Accessing credentials
Connecting to the control infrastructure
Preparing for the self-propagation phase
Phase 4: Credential Harvesting
After gaining execution rights on the victim's system, the malware begins searching for valuable credentials. Targets include:
GitHub Personal Access Tokens
GitHub Actions Secrets
AWS Credentials
Azure Credentials
GCP Service Accounts
SSH Keys
Docker Configurations
.env Files
Kubernetes Tokens
AI Assistant Configurations
Researchers have noted that Hades is particularly interested in modern development environments where developers often store various types of secrets on the same device. In addition to cloud credentials and SSH keys, the malware also collects configurations from AI coding assistant tools like GitHub Copilot, Cursor, and Claude Code, indicating that threat actors are beginning to expand their targets into the AI development ecosystem.
Phase 5: Exfiltration via GitHub
Another notable point is that the malware does not use traditional C2 servers. Instead, the stolen data is pushed to GitHub repositories controlled by the attacker.
Using GitHub as an exfiltration channel makes network traffic appear like regular software development activity, reducing the likelihood of detection by network monitoring solutions.
Phase 6: Self-Propagation
This is the phase that sets Shai-Hulud apart from most previously recorded supply chain malware. After stealing credentials, the malware attempts to access GitHub repositories, npm accounts, PyPI accounts, and CI/CD pipelines, allowing it to release additional malicious packages.
This cycle forms a self-replicating loop, transforming the campaign from a single data theft attack into a supply-chain worm capable of spreading laterally within the same software ecosystem.
Summary of the Impact of the Shai-Hulud Campaign
| Category | Impact |
|---|---|
| Scale | More than 100 npm and PyPI packages were infected, creating over 471 malicious artifacts. |
| The targeted subjects | Developer, Maintainer, DevOps, AI Engineers, Bioinformatics Researchers |
| Affected package | npm packages, PyPI packages, AI tooling, Bioinformatics libraries, MCP ecosystem |
| Stolen data | GitHub PAT, GitHub Actions Tokens, AWS/Azure/GCP Credentials, SSH Keys, Docker Configs, .env files |
| AI resources | Configuration and tokens of GitHub Copilot, Cursor, Claude Code, and other AI Coding Assistants |
| Impact on Developer | Loss of control over GitHub account, exposure of source code, secrets, and cloud resources |
| Impact on Business | Compromise CI/CD, release malicious packages, risk of supply chain spreading to customers |
| Impact on Cloud | Unauthorized access to AWS, Azure, GCP, Kubernetes clusters, and AI/ML resources |
| Ability to spread | Malware uses stolen credentials to continue publishing new malicious packages. |
| Channel Exfiltration | GitHub repositories were used as C2 and storage locations for stolen data. |
| The most dangerous point | This is one of the first campaigns capable of self-propagating supply-chain worms on npm/PyPI. |
| Risk level | Critical – Capable of simultaneously affecting developers, source code, CI/CD, and cloud infrastructure. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Supply Chain Compromise | T1195.001 | Trojanized packages on PyPI/NPM |
| Execution | Command and Scripting Interpreter: Python | T1059.006 | .pth file abuse → Python startup hook |
| Execution | Command and Scripting Interpreter: JavaScript | T1059.007 | Bun runtime execute _index.js |
| Persistence | Boot or Logon Initialization Scripts | T1037 | .pth file persist across Python sessions |
| Credential Access | Credentials from Password Stores | T1555 | Harvest from .env, configs |
| Credential Access | Steal Application Access Token | T1528 | GitHub PAT, cloud tokens |
| Collection | Data from Local System | T1005 | AWS/GCP keys, SSH keys |
| Exfiltration | Exfiltration to Cloud Storage | T1567 | GitHub repos used as C2/exfiltration |
| Defense Evasion | Obfuscated Files or Information | T1027 | _index.js obfuscated, encrypted components |
| Defense Evasion | Process Injection | T1055 | Memory read /proc/pid/mem, Mach APIs |
| Lateral Movement | Account Manipulation | T1098 | Use stolen tokens to infect other packages |
Expert opinion
From a threat analysis perspective, Shai-Hulud is not merely a credential-stealing campaign but an indication that supply chain attacks are entering a new phase: automation, self-propagation, and scalability on an industrial level.
The most notable aspect of this campaign is its ability for lateral self-propagation within the same software ecosystem. For years, common supply chain attacks have typically involved typosquatting, dependency confusion, or hijacking popular packages to spread malware. However, Shai-Hulud has advanced further by using stolen credentials to infiltrate maintainer accounts, CI/CD pipelines, or other repositories, thereby releasing additional malicious package versions. This spread model makes the malware function similarly to a "worm" in the open-source ecosystem, where each new victim can become a springboard for subsequent attacks.
For Vietnam, this campaign is highly relevant. Most software development teams today rely on packages from npm and PyPI during product development. Commands like pip install or npm install are used almost daily in the work environment. Meanwhile, many businesses still focus on source code vulnerability scanning or checking dependencies before deployment without adequately investing in runtime security solutions on development machines and CI/CD systems. This creates a significant gap when techniques like Hades' .pth startup hook can execute malicious code without direct user interaction.
Recommendation
For Individual Developers
First, review the packages you have installed or updated recently, especially libraries related to AI, machine learning, bioinformatics, or new packages introduced on social media and technical forums. If you have installed any packages on the affected list, consider all credentials on the development machine potentially compromised. Users should:
Change your GitHub Personal Access Token (PAT)
Create new SSH Keys
Revoke and reissue API Keys
Change the cloud credentials you are using
Check the login history for GitHub and cloud platforms
For Software Development Teams
Development teams should limit installing packages directly from the internet without going through a security review process.
Some measures to implement immediately:
Only use packages from reliable sources
Check the update history of a package before upgrading
Pin versions instead of using the latest version
Verify the checksum or hash of important packages
Regularly review the dependency tree
In particular, avoid granting excessive permissions to tokens used in the development environment. GitHub PATs or cloud credentials should only be given the necessary scope to minimize damage if stolen.
For Businesses
Organizations should view developer computers as high-value attack targets, as they store source code, credentials, and access to CI/CD systems. Businesses should:
Monitor unusual activity on GitHub, GitLab, and cloud platforms
Apply multi-factor authentication (MFA) for all critical accounts
Regularly rotate access tokens and secrets
Separate development and production environments
Implement solutions for detecting abnormal behavior on endpoints
Additionally, establish a response process for when a package is compromised, including revoking credentials, assessing the impact, and reviewing internally released packages.
IOC
Malicious PyPI Artifacts
Hashes
dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe(Variant 1, 4.8 MB, 17 packages)e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d(Variant 2, 4.7 MB, 2 packages)c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c
Files
*-setup.pth_index.js
Loader strings
.bun_ranbun-v1.3.13oven-sh/bun/releases/downloadurllib.requesturlretrievetempfile.gettempdir
Network
hxxps://api[.]anthropic[.]com/v1/api- legitimate Anthropic API host abused as a camouflage exfiltration destination
GitHub exfiltration markers
Hades - The End for the DamnedIfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFullyresults/results-*.jsonformat-resultsRun Copilot
Refer to
Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads w...
New Shai-Hulud attack trojanizes 19 science-focused PyPI packages
Shai-Hulud Malware Campaign Abuses 23 PyPI Packages in Developer-Focused Attack
