Decoding the world of cybersecurity

Shai-Hulud hits scientific Python packages

A new Shai-Hulud wave has compromised science-focused PyPI packages, putting developer secrets, research workflows, and bioinformatics environments back in the software supply chain spotlight.

Shai-Hulud hits scientific Python packages
Summary
  • Researchers reported a new Shai-Hulud campaign affecting science-focused PyPI packages, including bioinformatics and research tooling.
  • BleepingComputer reported 19 compromised packages and 37 malicious releases, while Endor Labs detailed six bioinformatics packages uploaded in a rapid wave.
  • The payloads targeted developer, cloud, registry, CI/CD, and AI-tooling secrets, extending risk into research and biotech environments.

A new Shai-Hulud supply chain wave has compromised science-focused Python packages on PyPI, extending developer credential theft into research, bioinformatics, and scientific computing environments.

BleepingComputer reported on 8 June that 19 PyPI packages had been compromised across 37 malicious releases, collectively downloaded hundreds of thousands of times. Many of the affected packages were described as bioinformatics or scientific tools, including Dynamo, Spateo, CoolBox, U-FISH, and Napari-UFISH. The campaign was identified by Socket, which linked it to the wider Shai-Hulud activity cluster.

Separately, Endor Labs reported a “Hades” wave in which six Python packages used in academic genomics, phenotype analysis, and graph machine learning were replaced with trojanised versions on 8 June. The packages named by Endor Labs were ensmallen, embiggen, pyphetools, gpsea, phenopacket-store-toolkit, and ppkt2synergy. Endor said the malicious versions were published in under 60 seconds and quarantined after being reported through PyPI’s trusted reporter process.

The reported payloads were designed to steal a broad range of developer and environment secrets. BleepingComputer, citing Socket analysis, said the JavaScript payload targeted GitHub tokens, GitHub Actions secrets, npm, PyPI, RubyGems and JFrog publishing tokens, AWS, Google Cloud, Azure, Kubernetes and Vault credentials, SSH keys, Docker credentials, shell histories, environment files, and Claude/MCP configuration files.

Endor Labs described a more evasive technique in the six-package wave. Previous Shai-Hulud attacks against PyPI modified Python source files to trigger execution. In this wave, Endor said malicious execution was embedded inside compiled binary extensions that activate at runtime when Python loads them. It also noted that every malicious package was uploaded with a Bun JavaScript runtime user agent, suggesting direct use of API tokens rather than normal Python packaging pipelines.

The research and bioinformatics angle changes the risk profile. Scientific Python packages are widely used in universities, biotech companies, health research groups, and pharmaceutical-adjacent environments. Those organisations may not sell software, but their notebooks, pipelines, repositories, and cloud environments can contain sensitive research data, proprietary methods, patient-adjacent material, or credentials for shared compute infrastructure.

Package managers remain powerful because they make development and analysis efficient, yet they also collapse trust decisions into routine installation and import behaviour. A dependency installed for analysis, graph modelling, or bioinformatics work can execute inside an environment that holds cloud credentials, GitHub tokens, notebook secrets, API keys, or access to internal datasets.

European research institutions and healthcare-adjacent organisations may also face data protection, research governance, grant compliance, and sector-specific cyber expectations. Commercial software and product companies using affected packages could face vulnerability-handling and supplier-risk questions as the Cyber Resilience Act moves toward practical implementation.

Response work starts with identifying affected packages and versions, quarantining environments where malicious packages may have executed, rotating exposed credentials, checking repositories for unauthorised releases or commits, and reviewing CI/CD, cloud, registry, and AI-tooling logs. The harder architecture problem is the continued presence of long-lived credentials in developer environments, which makes package compromise valuable even when the affected package has no privileged role of its own.

Shai-Hulud’s repeated movement across npm and PyPI shows attackers following tokens, maintainers, build systems, and developer habits rather than staying inside one package ecosystem. The scientific tooling affected in this wave shows how quickly that risk can move from software companies into research and health-adjacent organisations with different security maturity, funding models, and operational constraints.

×