Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PyStoreRAT GitHub repository delivery campaign with social promotion and metric inflation

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

The PyStoreRAT campaign is using GitHub-hosted Python repositories to spread a JavaScript-based RAT, creating a deceptive infection path for analysts and developers. The repositories pose as OSINT tools, DeFi bots, GPT wrappers, and security utilities while hiding a loader that fetches a remote HTA payload. The operation has been active since mid-June 2025 and uses YouTube, X, and inflated star-and-fork metrics to make the lures look trustworthy. It matters because the chain can install Rhadamanthys, profile victims, and persist through a disguised scheduled task.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Mini Shai-Hulud supply-chain campaign targeting npm and PyPI

Campaign
First: 12.05.2026 17:45 Last: 12.05.2026 17:45 Sources 1

About this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...

Latest development: 21.05.2026 11:00

Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.

Open Happening

Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials

Campaign
First: 12.05.2026 14:29 Last: 12.05.2026 14:29 Sources 1

About this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...

Open Happening

TeamPCP Mini Shai-Hulud npm supply-chain campaign

Campaign
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **TeamPCP**-linked **Mini Shai-Hulud** campaign is a **malicious npm supply-chain operation** that steals developer credentials and abuses trusted publishing paths to spread t...

Open Happening

Timeline

  1. 12.12.2025 20:50 2 articles · 5mo ago

    PyStoreRAT GitHub repository campaign disclosed

    Initial Disclosure

    GitHub-hosted Python repositories masquerading as OSINT tools, DeFi bots, GPT wrappers, and security-themed utilities spread PyStoreRAT through loader stubs that silently download a remote HTA file and execute it via mshta.exe. The campaign used YouTube and X promotion, inflated star and fork metrics, and added malicious maintenance commits in October and November after the repositories gained visibility.

    Show sources
    Open in new tab