Shai-Hulud PyPI supply-chain malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The Shai-Hulud supply-chain malware compromised 19 PyPI packages, turning routine installs into secret-stealing execution and putting developer credentials at risk. The infected releases used a malicious **`*-setup.pth` startup hook and obfuscated `_index.js` payload to trigger Python-driven execution. The activity spread through hundreds of thousands of downloads and targeted GitHub tokens, cloud credentials, SSH keys,** and other development secrets.
Related Happenings
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
AUDIOFIX and MiniRAT macOS malware activity
Malware Activity
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
AUDIOFIX and MiniRAT macOS malware activity
Malware ActivityAbout this happening: The **AUDIOFIX** and **MiniRAT** malware activity is targeting **cryptocurrency firms** and **developer infrastructure** on **macOS** with **LinkedIn recruiter** lures, a fake mee...
JINX-0164 cryptocurrency recruitment-lure campaign
Campaign
First: 28.05.2026 10:54
Last: 28.05.2026 10:54
Sources 1
About this happening:
A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
JINX-0164 cryptocurrency recruitment-lure campaign
CampaignAbout this happening: A **JINX-0164** campaign is targeting **cryptocurrency firms** and developers with **LinkedIn recruiter lures**, a fake meeting-and-fix workflow, and **macOS malware** to steal cr...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
08.06.2026 23:41 2 articles · 3h ago
Shai-Hulud compromise hits 19 PyPI packages and steals developer secrets
Initial DisclosureSocket identified a Shai-Hulud supply-chain compromise of 19 PyPI packages, spread across 37 malicious releases, that used a malicious `*-setup.pth` startup hook and an obfuscated `_index.js` payload to trigger Python-driven Bun execution and steal developer secrets from developer and CI/CD environments.
Show sources
- New Shai-Hulud attack trojanizes 19 science-focused PyPI packages — www.bleepingcomputer.com — 08.06.2026 23:41
- New Shai-Hulud attack trojanizes 19 science-focused PyPI packages — www.bleepingcomputer.com — 08.06.2026 23:41