Mini Shai-Hulud, Miasma, and Hades Worms Target Bioinformatics and MCP Developers via Malicious PyPI Wheels
A fast-moving supply chain campaign dubbed Mini Shai-Hulud/Miasma is targeting Python developers via malicious PyPI wheels. The threat actors are utilizing novel execution techniques, including trojanized native extensions and split-loader .pth hooks that search sys.path for payloads, to deploy the Hades stealer and harvest credentials from CI/CD pipelines and developer workstations.
- filenameensmallen_core2.abi3.soTrojanized native extension used for import-time execution in the bioinformatics cluster.
- filenameensmallen_haswell.abi3.soTrojanized native extension used for import-time execution in the bioinformatics cluster.
- filenamelangchain_core-setup.pthMalicious Python startup hook used to bootstrap Bun and execute the JavaScript payload.
- pypi_packageembiggenMalicious bioinformatics PyPI package using trojanized native extensions for import-time execution.
- pypi_packagelangchain-core-mcpMalicious PyPI package using a split-loader variant to search sys.path for its payload.
- sha2566506d31707a39949f89534bf9705bcf889f1ecae3dbc6f4ff88d67a8be3d01b2Hash of the malicious langchain_core-setup.pth startup hook.
- sha2566d332f814f15f19758d65026bbfd0a8c49671b319ec77b8fa1b27fc48afff7d9Hash of the malicious langchain_core_mcp-1.4.2-py3-none-any.whl artifact.
- urlhxxps://github[.]com/oven-sh/bun/releases/download/bun-v1[.]3[.]13/bun-{os}-{arch}[.]zipURL used by the Python loader to download the Bun runtime into a temporary directory.
Detection / HunterGoogle
What Happened
A group of hackers is distributing malicious software packages through the Python Package Index (PyPI), specifically targeting developers working in bioinformatics and artificial intelligence. When a developer installs one of these compromised packages, hidden code secretly downloads a malicious program that steals passwords, cloud credentials, and source code. This matters because compromised developer accounts can lead to wider breaches within an organization's software supply chain. Organizations should review their Python environments for these specific malicious packages, rotate any potentially exposed credentials, and monitor their build systems for unusual activity.
Key Takeaways
- Threat actors are iterating on the Mini Shai-Hulud/Miasma campaign with 23 new malicious PyPI packages targeting bioinformatics and AI/MCP developers.
- The campaign utilizes three distinct delivery mechanisms: .pth startup hooks, trojanized native .abi3.so extensions, and a split-loader variant.
- The langchain-core-mcp variant evades standard detection by searching sys.path for its _index.js payload instead of bundling it directly.
- The malware payload includes a fake prompt-injection header designed to pollute and disrupt AI-assisted analysis tools.
- The Hades stealer targets developer workstations and CI/CD environments to harvest high-value secrets, including cloud credentials, SSH keys, and package registry tokens.
Affected Systems
- Python developer workstations
- CI/CD environments
- Linux
- macOS
- Windows
Attack Chain
The attack begins when a developer installs a malicious PyPI package. Depending on the package variant, execution is triggered either via a .pth startup hook or a trojanized native .abi3.so extension upon module import. The loader downloads the Bun runtime from GitHub, locates an obfuscated JavaScript payload (_index.js) either bundled or within sys.path, and executes it. The payload, protected by an LLM prompt-injection header to thwart AI analysis, then harvests credentials, SSH keys, and tokens from the developer's workstation or CI/CD environment.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Socket AI Scanner
The article mentions that Socket AI Scanner detects the malicious behavior, but no raw detection rules or queries are provided in the text.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can observe Python spawning the Bun executable and subsequent network connections, but might miss the initial Python import-time execution if it blends with normal developer activity. Network Visibility: Medium — Network telemetry can capture the download of the Bun runtime from GitHub and subsequent C2 exfiltration, though the initial package download from PyPI appears legitimate. Detection Difficulty: Moderate — The split-loader technique and use of native extensions make static analysis difficult, but the behavioral chain of Python downloading and executing Bun is highly anomalous.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- File Creation Logs (Sysmon Event ID 11)
- Network Connection Logs (Sysmon Event ID 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for Python processes spawning a 'bun' executable, especially if Bun is running from a temporary directory. | Process Creation Logs | Execution | Low |
| Look for the creation of a hidden file named '.bun_ran' in system temporary directories, which acts as a run-once marker. | File Creation Logs | Execution | Low |
| Monitor for Python processes making network connections to download zip files from GitHub releases, specifically targeting the Bun runtime. | Network Connection Logs | Execution | Medium |
Control Gaps
- Static source code analysis tools that do not scan compiled .abi3.so native extensions.
- AI-assisted malware triage tools vulnerable to prompt injection.
- Scanners that expect loader and payload to be bundled in the same directory.
Key Behavioral Indicators
- Python process downloading Bun runtime.
- Python executing .pth files that search sys.path.
- Presence of LLM prompt injection strings in JavaScript comments.
- Python importing .abi3.so files that trigger external script execution.
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider searching your Python environments and CI/CD pipelines for the specific malicious PyPI packages listed (e.g., langchain-core-mcp, embiggen).
- If any affected packages are found, evaluate whether to immediately rotate all potentially exposed credentials, including cloud tokens, SSH keys, and package registry tokens.
Infrastructure Hardening
- Evaluate whether to implement network egress filtering on CI/CD runners to block unexpected downloads, such as unauthorized runtimes from GitHub.
- Consider restricting access to the Docker socket (/var/run/docker.sock) on build runners to prevent abuse by malicious scripts.
User Protection
- If supported by your tooling, consider enforcing strict dependency pinning and hash-checking for all Python packages installed on developer workstations.
- Evaluate whether to use virtual environments with restricted permissions to limit the blast radius of compromised packages.
Security Awareness
- Consider training developers on the risks of typosquatting and the importance of verifying package names before installation.
- Evaluate whether to incorporate supply chain security awareness into existing developer training programs.
MITRE ATT&CK Mapping
- T1195.001 - Supply Chain Compromise: Software Dependencies and Development Tools
- T1059.006 - Command and Scripting Interpreter: Python
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1574 - Hijack Execution Flow
- T1552.001 - Credentials In Files
- T1562.001 - Impair Defenses: Disable or Modify Tools
Additional IOCs
- File Paths:
_index.js- Obfuscated JavaScript payload file searched for within sys.path by the loader..bun_ran- Run-once marker file created in the system temporary directory./tmp/.sshu-setup.js- SSH propagation file path used by the malware.
- Command Lines:
- Purpose: Execute the discovered JavaScript payload using the downloaded Bun runtime. | Tools:
Python,Bun| Stage: Execution |subprocess.run([bun_path, "run", payload], check=False)
- Purpose: Execute the discovered JavaScript payload using the downloaded Bun runtime. | Tools:
- Other:
dreamgen- Malicious PyPI package artifact.ensmallen- Malicious PyPI package artifact.gpsea- Malicious PyPI package artifact.instructor-mcp- Malicious PyPI package artifact.mem8- Malicious PyPI package artifact.mflux-streamlit- Malicious PyPI package artifact.openai-mcp- Malicious PyPI package artifact.orchestr8-platform- Malicious PyPI package artifact.phenopacket-store-toolkit- Malicious PyPI package artifact.ppkt2synergy- Malicious PyPI package artifact.pyphetools- Malicious PyPI package artifact.ray-mcp-server- Malicious PyPI package artifact.rlask- Malicious PyPI package artifact.rsquests- Malicious PyPI package artifact.tiktoken-mcp- Malicious PyPI package artifact.tlask- Malicious PyPI package artifact.thebeautifulmarchoftime- Fallback C2 discovery string.thebeautifulsnadsoftime- Fallback C2 discovery string.
