GoKawiilHackers compromised 19 packages on the PyPI, collectively downloaded hundreds of thousands of times, in a new Shai-Hulud supply-chain attack that delivered malware designed to steal developer secrets.
Many of the infected packages are popular bioinformatics tools such as Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH.
The new campaign was discovered by application security company Socket and extended to 37 malicious releases for 19 packages that appear to be from a single maintainer.
The researchers say that the malicious artifacts included a ‘*-setup.pth' file and an obfuscated JavaScript payload named ‘_index.js.’
Users would just have to start Python to trigger the execution of the PTH file, which then tries to download the Bun JavaScript runtime from GitHub to run the bundled script.
“That means a compromised wheel can turn an otherwise passive dependency install into a delayed execution trigger: the next Python, pip, test run, notebook kernel, CI job, or package-management command that starts Python may process the malicious .pth,” Socket explains.
The researchers believe that the attack is part of the broader “Shai-Hulud” campaign, due to the malware exhibiting several similarities in the techniques used.
Because of this, Socket is tracking it alongside previous attacks, with the list of malicious artifacts attributed to Shai-Hulud activities now showing 453 items.
An analysis of the JavaScript payload revealed that it targeted a broad range of developer secrets that included the following:
GitHub tokens and GitHub Actions secrets
... continue reading