Search

bleepingcomputer.com › news › security

New Shai-Hulud attack trojanizes 19 science-focused PyPI packages

… The researchers say that the malicious artifacts included a ‘ -setup.pth' file and an obfuscated JavaScript payload named ‘ index.js.’ Users would just have to start Python to trigger the execution of the PTH file, which then tries to download the Bun JavaScript runtime from GitHub to run the bundl… …

Jun 8, 2026 · Bill Toulas

bleepingcomputer.com › news › security

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages

… Researchers recommend that security teams take the following action: check for affected package versions check for persistence on developer machines rotate all credentials GitHub tokens, npm tokens, AWS credentials, Vault tokens, Kubernetes service accounts, and CI/CD secrets audit IDE directories … …

May 12, 2026 · Bill Toulas