Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: pypi (11 articles)Clear

ChocoPoC malware hides in fake exploit dependencies to hit security researchers

Sekoia found a campaign that targets security researchers by planting a Python remote access trojan, ChocoPoC, in proof-of-concept exploits published on GitHub. Rather than putting malware in the exploit code itself, the attackers add a malicious package to the PoC's dependency list on the Python Package Index, so simply installing and running the exploit pulls down the trojan, which can run commands and steal data. At least seven repositories posed as PoCs for flaws in products like FortiWeb, PAN-OS, Ivanti Sentry, and Check Point VPN, with downloads spiking after each new vulnerability made headlines. One malicious package was fetched about 2,400 times, mostly on Linux.

Check
When testing proof-of-concept exploits from GitHub, inspect their dependency lists and any packages they pull from PyPI, and run everything in an isolated, disposable virtual machine rather than a working environment.
Affected
Security researchers, penetration testers, and others who download and run PoC exploits; a trojanized dependency, not the exploit code, delivers a remote access trojan that steals data and runs commands.
Fix
Vet and pin dependencies before running any PoC, review package sources on PyPI, and detonate untrusted exploits only in sandboxed virtual machines with network access removed unless the test requires it.

New Shai-Hulud wave poisons 19 scientific Python packages on PyPI

The ongoing Shai-Hulud supply-chain campaign has struck again, this time trojanizing 19 Python packages on PyPI, many of them popular bioinformatics tools like Dynamo, Spateo, CoolBox, and Napari-UFISH that have been downloaded hundreds of thousands of times. Discovered by Socket, the wave pushed 37 malicious package versions from what looks like a single compromised maintainer, each carrying code that steals developer secrets such as cloud keys and tokens, then uses them to spread further. PyPI has quarantined affected releases. The credential-stealing behavior and tactics match earlier Shai-Hulud activity tied to the group TeamPCP, whose worm code leaked publicly last month.

Check
Search Python environments, lock files, and CI build logs for the 19 affected packages (including Dynamo, Spateo, CoolBox, U-FISH, Napari-UFISH) installed during the malicious window.
Affected
Developers and research teams that installed the trojanized versions of the 19 PyPI scientific packages, especially bioinformatics workflows pulling Dynamo, Spateo, CoolBox, U-FISH, or Napari-UFISH.
Fix
Remove the malicious versions and pin to known-good releases, then rotate every developer, cloud, and CI credential exposed on machines that installed them. Rebuild from trusted sources.

TrapDoor cross-ecosystem supply chain hits npm, PyPI, Crates.io with 34+ malicious packages; plants .cursorrules and CLAUDE.md to trick AI assistants

Socket has detailed TrapDoor, a coordinated cross-ecosystem supply-chain campaign that has published 34+ malicious packages across 384+ versions on npm, PyPI, and Crates.io since May 22. Targets are crypto, DeFi, Solana, and AI developers. The npm packages deploy trap-core.js, which scans for credentials, validates AWS and GitHub tokens via API, and persists via cron, systemd, Git hooks, shell rcfiles, and SSH; Rust crates use build.rs to trigger; Python packages auto-execute on import to fetch JavaScript from ddjidd564.github[.]io. Notable twist: the campaign also plants .cursorrules and CLAUDE.md in PRs to popular AI repos to trick AI coding assistants into running 'security scans' that exfiltrate secrets.

Check
Search npm, pip, and cargo install logs across CI/CD and developer machines for any of the 34+ TrapDoor packages. Check repos for unsolicited .cursorrules or CLAUDE.md additions in PRs.
Affected
Crypto, DeFi, Solana, and AI developers who install packages by name without lockfile pinning. Users of AI coding assistants (Cursor, Claude) that read .cursorrules or CLAUDE.md.
Fix
Pin via lockfiles. Block ddjidd564.github[.]io at egress. Audit .cursorrules and CLAUDE.md across repos. Configure AI coding assistants to require explicit confirmation before running arbitrary commands from project files.

TeamPCP Shai-Hulud aftermath: OpenAI rotates macOS code-signing certificates after employee devices breached, TeamPCP advertises 450 Mistral AI source repositories for $25K

Two days after the Mini Shai-Hulud worm tore through TanStack and Mistral AI packages, the named-victim count grew sharply. OpenAI confirmed that two employee devices were compromised through the TanStack supply-chain chain and that a limited subset of internal source code repositories had credential material exfiltrated; the company is rotating its macOS code-signing certificates and tells Mac users they must update ChatGPT Desktop, Codex, and Atlas apps by June 12, 2026, or the apps will stop launching. TeamPCP separately listed 450 Mistral AI private repositories on a criminal forum for 25,000 dollars. Mistral confirmed a codebase management system was temporarily compromised on May 12 but says hosted services and user data were not impacted.

Check
Audit which developer workstations had any TanStack, Mistral AI, UiPath, OpenSearch, or Guardrails AI npm or PyPI packages installed since May 8, and review GitHub audit logs for token use from those machines.
Affected
Mac users of OpenAI ChatGPT Desktop, OpenAI Codex CLI, and Atlas browser apps - signed with the rotated certificates and must update before June 12, 2026. Customers of Mistral AI relying on private repos for SDK pinning.
Fix
Update affected OpenAI macOS apps before June 12. Rotate GitHub PATs, npm and PyPI tokens, cloud secrets, and SSH keys exposed on impacted developer machines. Pin Mistral and TanStack packages to known-clean releases.

TeamPCP supply-chain worm 'Mini Shai-Hulud' hits TanStack, Mistral AI, UiPath, OpenSearch, and Guardrails AI - 170 packages, 401 malicious versions, 518 million weekly downloads (CVE-2026-45321)

TeamPCP launched its largest supply-chain attack to date on May 11, compromising 170+ npm and PyPI packages with 518 million combined weekly downloads. The attackers chained three GitHub Actions vulnerabilities to publish 401 malicious versions carrying valid SLSA Build Level 3 attestations - cryptographically indistinguishable from legitimate releases. Affected packages include TanStack, Mistral AI (npm and PyPI), UiPath, OpenSearch, and Guardrails AI. The worm installs a persistent gh-token-monitor daemon that triggers 'rm -rf ~/' if tokens get revoked, and includes a probabilistic full-disk-wipe routine for Israeli and Iranian locales.

Check
Audit lockfiles for @tanstack/* (84 affected versions), @uipath/* (66 versions), @mistralai/*, opensearch-project/opensearch 3.5.3-3.8.0, guardrails-ai 0.10.1, mistralai 2.4.6.
Affected
Any Node.js or Python environment that installed compromised packages between May 11 and registry takedown. CI/CD pipelines, developer workstations, AI/ML environments. Crypto wallets and password managers (1Password, Bitwarden) are primary exfil targets.
Fix
Remove gh-token-monitor daemon BEFORE revoking tokens (~/Library/LaunchAgents macOS, ~/.config/systemd/user/ Linux) - removal first prevents triggering the wipe. Pin lockfiles to clean versions. Rotate all npm tokens, GitHub PATs, cloud credentials, and crypto wallet seeds.

New Linux malware called 'Quasar Linux' targets developer laptops to steal credentials for npm, GitHub, AWS, and Docker - barely detected by antivirus

Trend Micro disclosed Quasar Linux (QLNX), a previously undocumented Linux remote access trojan designed for developer workstations and DevOps environments. The malware harvests credentials for npm, PyPI, GitHub, AWS, Docker, and Kubernetes - then uses them to publish trojanized packages to public registries. QLNX runs entirely fileless and in-memory, dynamically compiling its rootkit and PAM backdoor on the target host using gcc, then loading them via /etc/ld.so.preload for system-wide interception. Capabilities include a 58-command RAT, dual-layer rootkit, keylogging, SSH lateral movement, and peer-to-peer mesh networking. Only four security tools detect the binary as malicious.

Check
Hunt Linux developer machines and CI runners for /etc/ld.so.preload entries you didn't put there, /tmp/.X*-lock files outside legitimate X server use, and gcc invocations on hosts that don't normally compile code.
Affected
Linux developer workstations and DevOps environments with credential access to npm, PyPI, GitHub, AWS, Docker, or Kubernetes. Acute risk for organizations with developers running root-capable Linux desktops, particularly those whose CI/CD pipelines pull dependencies from public registries. Compromised credentials enable supply-chain attacks against the organization's own published packages.
Fix
Deploy Linux EDR with eBPF visibility on every developer machine and CI runner - QLNX hides from userland tools but eBPF-aware sensors detect the kernel-level rootkit. Restrict /etc/ld.so.preload modifications via auditd alerts. For high-risk developers: use ephemeral build environments (containers, VMs) that don't carry persistent credentials. Trend Micro published IoCs.

The same supply-chain worm that hit SAP packages on Wednesday spread to PyTorch Lightning and Intercom's npm SDK on Thursday

Update on the Mini Shai-Hulud campaign covered April 30: The same supply-chain worm that hit four SAP npm packages on Wednesday spread to two more major packages on Thursday. PyTorch Lightning, an AI training framework with 31,100 GitHub stars and hundreds of thousands of daily downloads, had malicious versions 2.6.2 and 2.6.3 published on PyPI for 42 minutes before being quarantined. Intercom-client, the official Node.js SDK for Intercom (361,510 weekly downloads), was compromised at 14:41 UTC. Intercom traced its compromise to pyannote-audio pulling Lightning as a dependency - showing the worm propagating through stolen credentials from the SAP victims.

Check
Audit any developer machine or CI runner that ran 'pip install' on PyTorch Lightning or 'npm install' on intercom-client between April 30 and May 1, and rotate every credential on those machines.
Affected
Lightning (PyPI) versions 2.6.2 and 2.6.3 - safe version is 2.6.1. Intercom-client (npm) version 7.0.4 (per Socket) and 7.0.5 (per Wiz). AI/ML environments running Lightning routinely hold GPU cluster credentials, cloud IAM tokens, Hugging Face API keys, and Weights & Biases tokens. Backend services and CI/CD pipelines integrating with Intercom's API are exposed even if they don't use Lightning.
Fix
Pin Lightning to 2.6.1 or earlier; reject 2.6.2 and 2.6.3. Update intercom-client per Intercom's advisory. Rotate all credentials potentially exposed: GitHub tokens, npm tokens, AWS/GCP/Azure keys, environment-variable secrets. Gate npm publish behind environment review (the same pattern that compromised SAP).

North Korean hackers used Claude AI to add malicious npm dependencies to legitimate-looking projects and stole crypto wallet credentials from developers who installed them

North Korea's Famous Chollima group (also called Void Dokkaebi) is using Anthropic's Claude Opus to write malicious npm packages and slip them into developer environments. ReversingLabs found the group had registered a fake Florida LLC, set up a real-looking developer firm, and used Claude to add a package called @validate-sdk/v2 as a dependency to a legitimate-looking utility SDK. When developers installed the parent package, the dependency executed code that stole their cryptocurrency wallet credentials. The campaign progressed from simple JavaScript info-stealers (5KB) to full Node.js executables (85MB) bundling Claude-generated deception code.

Check
If your organization handles cryptocurrency, treat every npm or PyPI dependency as untrusted by default - particularly utility SDKs offered by unfamiliar publishers.
Affected
Cryptocurrency companies and developers, especially those whose machines hold wallet credentials, signing keys, or CI/CD access to crypto infrastructure. Web3 startups, blockchain developers, fintech engineers. The targeting is industry-specific, but the technique (AI-generated trojan dependencies inside legitimate-looking SDKs) will be copied by other groups.
Fix
Pin npm and PyPI dependencies to specific commit SHAs and require manual review for any new dependency added to a crypto-handling project. For high-risk developers, use ephemeral build environments that don't carry wallet credentials. Block ipfs-url-validator.vercel[.]app and the @validate-sdk publisher namespace. Treat any 'utility SDK' from an unfamiliar US LLC formed in the past 12 months with extra suspicion.

Self-propagating npm worm hits Namastex Labs packages, steals secrets across npm, PyPI, and crypto wallets

A new supply-chain worm is loose on npm, stealing developer credentials and republishing itself automatically from whichever compromised account it lands on. Socket and StepSecurity identified the attack in packages published by Namastex Labs, a company that builds agentic AI tooling, with 16 package versions confirmed malicious so far and the first poisoned release (pgserve 1.1.11 on April 21 at 22:14 UTC) followed by two more the same day. The injected code grabs tokens, API keys, SSH keys, credentials for cloud services, CI/CD systems, container registries, and LLM platforms, plus Kubernetes and Docker configs, then rifles through Chrome and Firefox for cryptocurrency wallet data including MetaMask, Exodus, Atomic Wallet, and Phantom. If the malware finds an npm publish token in environment variables or ~/.npmrc, it identifies every package the victim can publish, injects itself into each, bumps the version, and republishes - a worm in the literal sense. It applies the same trick to PyPI via a .pth-based payload if Python credentials are present, making this a cross-ecosystem threat. Socket and StepSecurity note the techniques mirror TeamPCP's CanisterWorm attacks but stop short of definitive attribution.

Check
Search your package-lock and yarn.lock files and private registry caches for any of the listed Namastex Labs versions, and then rotate every credential that has ever been present on a machine that installed them.
Affected
Confirmed malicious versions per Socket: @automagik/genie 4.260421.33 through 4.260421.39; pgserve 1.1.11 through 1.1.13; @fairwords/websocket 1.0.38 through 1.0.39; @fairwords/loopback-connector-es 1.4.3 through 1.4.4; @openwebconcept/theme-owc 1.0.3; @openwebconcept/design-tokens 1.0.3. Any additional npm package republished by an account whose publish token was exfiltrated by this worm is also potentially malicious.
Fix
Remove the listed versions from development environments, CI/CD runners, and private mirrors immediately. Rotate every secret the worm would have seen: npm publish tokens, PyPI tokens, cloud provider keys, CI/CD deploy keys, SSH keys, LLM platform API keys, container registry credentials, and any crypto wallet seeds stored in browser extensions on affected machines. Audit your package caches and internal mirrors for related packages that share the same public.pem file, webhook host, or postinstall pattern (Socket publishes IoCs for this). Pin production dependencies to known-good versions with integrity hashes and deny the newest versions of the affected packages in your package firewall until forensics is complete.

TeamPCP compromises Telnyx Python SDK on PyPI - malware hidden inside sound files

Hackers compromised the Telnyx Python SDK on PyPI and hid malware inside .wav sound files - disguised as audio to bypass security scanners. Versions 4.87.1 and 4.87.2 were poisoned - just importing the package triggers the attack. It grabs SSH keys, cloud credentials, and can hijack Kubernetes clusters. The malicious versions were live for about 6 hours before PyPI quarantined them.

Check
Audit your Python environments for the Telnyx package.
Affected
telnyx 4.87.1 and 4.87.2 on PyPI.
Fix
Downgrade to telnyx 4.87.0. Rotate all credentials on any system that ran the poisoned versions.