New Shai-Hulud Wave Hits PyPI Packages Used by MCP and Bioinformatics Developers
9 min. read 
Published on
A new wave of the Shai-Hulud supply chain campaign has reached PyPI, with researchers identifying 23 newly discovered malicious package-version artifacts aimed at Python developers, MCP builders, and bioinformatics users.
The latest findings come from Socket Threat Research, which said the newer wave expands beyond an earlier set of 37 malicious PyPI wheels. The campaign now uses several delivery methods, including Python startup hooks, native extensions, and a loader variant tied to langchain-core-mcp.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk is serious because the malware targets developer workstations and CI/CD systems for secrets. Socket said the payload can look for package registry tokens, cloud credentials, Kubernetes material, SSH keys, Docker configuration, shell histories, .env files, and AI developer tool settings.
What changed in the latest Shai-Hulud wave
The new PyPI activity is part of the broader Mini Shai-Hulud, Miasma, and Hades campaign. Socket’s campaign tracker currently lists 473 affected artifacts across npm and PyPI, with activity continuing into June 2026.
The latest PyPI wave is not limited to typo-squatting. It includes MCP-themed packages, bioinformatics packages, and lookalikes designed to catch common developer mistakes.
That mix shows how the attackers are trying to reach both AI developers and scientific computing users. MCP packages can appeal to developers building AI agent integrations, while bioinformatics packages can reach research environments that often run complex Python stacks.
| Cluster | Examples | Likely target |
|---|---|---|
| MCP and AI-themed packages | langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, ray-mcp-server | Developers building AI agent and tool integrations |
| Bioinformatics packages | embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy, pyphetools | Scientific, genomics, and research workflows |
| Typosquat packages | rsquests, tlask, rlask | Developers who mistype popular package names |
Three delivery methods make the campaign harder to spot
Socket said the attackers are no longer relying on a single execution method. One branch uses Python .pth startup hooks to run a bundled JavaScript stealer through the Bun runtime.
A second branch hides malicious behavior inside compiled native .abi3.so extensions. That can bypass source-only review because the visible Python files may look clean, while the compiled extension triggers the payload when the module loads.
A third branch uses a langchain-core-mcp loader variant. According to Socket’s analysis, that wheel does not include the expected _index.js payload. Instead, it searches Python’s module path for the payload elsewhere, which can split the loader and payload across different locations.
- .pth startup hooks can run during Python startup.
- Native extensions can hide execution paths from simple source review.
- Loader and payload separation can confuse rules that expect both files in one wheel.
- Obfuscated JavaScript payloads can target developer and CI secrets.
Why MCP developers are a high-value target
The campaign’s MCP-themed package names are notable because the Model Context Protocol has become a fast-growing way to connect AI applications to external systems. The official Model Context Protocol documentation describes MCP as an open standard for connecting AI apps to data sources, tools, and workflows.
That makes MCP developers valuable targets. They often work with API keys, model provider credentials, local tools, code editors, cloud services, and private data sources.
If a malicious dependency lands in an MCP project, it may run in an environment with access to sensitive agent tooling. The damage can extend beyond one laptop if the same package reaches a build system or shared development image.
New PyPI artifacts identified by Socket
Socket listed 23 newly identified malicious PyPI package-version artifacts in the June 8 report. Some package names appear once, while others have multiple affected versions.
The list below should be treated as a blocklist and hunting reference. Teams should check local environments, dependency manifests, lockfiles, package caches, CI runners, and private mirrors for these names and versions.
| Package | Malicious version or versions |
|---|---|
| dreamgen | 1.8.1 |
| embiggen | 0.11.97 |
| ensmallen | 0.8.101 |
| gpsea | 0.9.14 |
| instructor-mcp | 1.15.2, 1.15.3 |
| langchain-core-mcp | 1.4.2, 1.4.3 |
| mem8 | 6.0.1 |
| mflux-streamlit | 0.0.3, 0.0.4 |
| openai-mcp | 2.41.1, 2.41.2 |
| orchestr8-platform | 3.3.2 |
| phenopacket-store-toolkit | 0.1.7 |
| ppkt2synergy | 0.1.1 |
| pyphetools | 0.9.120 |
| ray-mcp-server | 0.2.1 |
| rlask | 3.1.7 |
| rsquests | 2.34.3 |
| tiktoken-mcp | 0.13.1, 0.13.2 |
| tlask | 3.1.4 |
The attack targets developer secrets
This campaign does not target ordinary end users in the same way as consumer malware. It focuses on the developer supply chain, where a single stolen token can let attackers publish new malicious packages, access private repositories, or poison automated workflows.
Socket’s earlier Hades PyPI analysis described malicious wheels that used Python startup hooks to launch a Bun-powered credential stealer. The newer wave builds on that pattern and adds more varied delivery methods.
Once a compromised package runs, defenders should assume credentials may have been exposed. This includes GitHub tokens, npm tokens, PyPI tokens, RubyGems keys, JFrog credentials, cloud credentials, Kubernetes service account files, SSH keys, Docker configuration, and AI development tool settings.
- Remove affected package versions from developer systems and CI runners.
- Preserve forensic artifacts before cleanup when possible.
- Rotate tokens and secrets from any environment that installed affected artifacts.
- Review package publishing rights for compromised maintainers and projects.
- Check CI workflows for unexpected edits, new secrets access, and unusual outbound traffic.
AI-assisted malware triage is also being targeted
One unusual detail in the campaign is the use of anti-analysis text aimed at LLM-based scanners. Socket said the malicious JavaScript payload begins with a large comment containing fake system-style instructions.
That text does not affect JavaScript execution because the runtime skips comments. The goal appears to be confusing weak AI-assisted triage systems that feed file contents into a language model without isolating the data as untrusted input.
This is not a complete bypass of traditional malware detection. Static analysis, string extraction, entropy checks, YARA rules, AST parsing, and behavioral monitoring can still work. The technique mainly shows that attackers expect defenders to use AI tools during analysis.
Why PyPI and npm remain attractive targets
PyPI and npm sit at the center of modern software development. A single package can reach developer laptops, build containers, CI runners, production images, and internal mirrors.
The PyPI security page tells users how to report malicious projects and lists examples such as typosquatting, dependency confusion, data exfiltration, obfuscation, and command-and-control behavior.
npm has faced related waves in the same broader campaign. npm’s official documentation describes npm as the world’s largest software registry, and the npm registry remains a major target because developers and organizations use it to share, install, and manage packages.
| Risk area | Why it matters |
|---|---|
| Developer laptops | Often contain SSH keys, cloud credentials, local tokens, and source code |
| CI/CD runners | May hold deployment secrets, package publishing tokens, and GitHub credentials |
| Private mirrors | Can preserve malicious packages even after public removal |
| AI tool projects | May connect models, tools, APIs, and sensitive local resources |
What security teams should hunt for
Teams should first search for the listed package names and versions in requirements files, lockfiles, virtual environments, caches, build logs, artifact stores, and container images.
They should also inspect Python environments for executable .pth files, unexpected _index.js files, Bun download or execution behavior, and newly introduced .abi3.so files in packages that recently changed.
Socket’s live Miasma tracker should be reviewed as the campaign evolves, because additional artifacts may appear after the first report. Security teams should not limit their search to the 23 newer artifacts if they also use npm or older PyPI packages from the same campaign.
How developers can reduce exposure
Developers should avoid installing new AI, MCP, and utility packages directly into sensitive environments until they verify the package publisher, release history, source repository, and recent file changes.
MCP developers should take extra care because MCP connects AI apps to external tools and data sources. The MCP project documentation explains that AI applications can use MCP to connect to local files, databases, search engines, calculators, and workflows, which means compromised tooling can sit close to valuable integrations.
Organizations should also report suspicious packages through the PyPI malware reporting process and follow registry-specific processes for npm packages. The npm documentation remains useful for understanding how the registry, website, and CLI fit into package publishing and consumption workflows.
- Pin dependencies and review lockfile changes before merging.
- Use isolated build environments with minimal secrets.
- Keep package publishing tokens short-lived and scoped.
- Require multi-factor authentication for package publisher accounts.
- Block known malicious package versions in internal package proxies.
- Scan private registries and caches, not only public dependency files.
Why this campaign matters
The Shai-Hulud campaign shows how quickly supply chain attackers can shift across ecosystems, package themes, and execution methods. The move into MCP-themed packages also reflects where attackers believe developer attention is moving.
Socket’s earlier PyPI report focused on 37 malicious wheels tied to startup-hook execution. The newer wave adds native extensions and split loader behavior, making review harder for teams that only inspect Python source files.
For defenders, the takeaway is clear: treat package installation as code execution, especially in AI and CI/CD environments. Any machine that installed the affected versions should go through cleanup, secret rotation, and log review.
FAQ
The new Shai-Hulud wave is a Python package supply chain campaign identified by Socket Threat Research. It adds 23 malicious PyPI package-version artifacts that target MCP developers, AI tooling projects, bioinformatics users, and developers likely to install typo-squatted packages.
Socket described the new wave as 23 package-version artifacts, not 23 unique package names. Several package names had more than one malicious version, including instructor-mcp, langchain-core-mcp, mflux-streamlit, openai-mcp, and tiktoken-mcp.
MCP developers often work with AI tools, API keys, local data sources, code editors, and automation workflows. A malicious package in that environment can expose valuable tokens and credentials, especially if it runs on a CI/CD system or a developer machine with broad access.
Remove the affected package version, preserve forensic evidence where possible, rotate credentials from that environment, review CI logs and workflow changes, and check for suspicious files such as executable .pth hooks, unexpected _index.js files, Bun-related execution, and unusual native extensions.
Teams should pin dependencies, review lockfile changes, isolate build environments, reduce secrets available to CI jobs, use scoped and short-lived tokens, require MFA for package publishers, scan private package caches, and block known malicious versions in internal package proxies.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages