Sekoia found a campaign that targets security researchers by planting a Python remote access trojan, ChocoPoC, in proof-of-concept exploits published on GitHub. Rather than putting malware in the exploit code itself, the attackers add a malicious package to the PoC's dependency list on the Python Package Index, so simply installing and running the exploit pulls down the trojan, which can run commands and steal data. At least seven repositories posed as PoCs for flaws in products like FortiWeb, PAN-OS, Ivanti Sentry, and Check Point VPN, with downloads spiking after each new vulnerability made headlines. One malicious package was fetched about 2,400 times, mostly on Linux.
The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.
Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.
Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.
TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.
Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.
Update on the Mini Shai-Hulud campaign covered April 30: The same supply-chain worm that hit four SAP npm packages on Wednesday spread to two more major packages on Thursday. PyTorch Lightning, an AI training framework with 31,100 GitHub stars and hundreds of thousands of daily downloads, had malicious versions 2.6.2 and 2.6.3 published on PyPI for 42 minutes before being quarantined. Intercom-client, the official Node.js SDK for Intercom (361,510 weekly downloads), was compromised at 14:41 UTC. Intercom traced its compromise to pyannote-audio pulling Lightning as a dependency - showing the worm propagating through stolen credentials from the SAP victims.
North Korea's Famous Chollima group (also called Void Dokkaebi) is using Anthropic's Claude Opus to write malicious npm packages and slip them into developer environments. ReversingLabs found the group had registered a fake Florida LLC, set up a real-looking developer firm, and used Claude to add a package called @validate-sdk/v2 as a dependency to a legitimate-looking utility SDK. When developers installed the parent package, the dependency executed code that stole their cryptocurrency wallet credentials. The campaign progressed from simple JavaScript info-stealers (5KB) to full Node.js executables (85MB) bundling Claude-generated deception code.
A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.
Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.