SlowMist
SlowMist|Jun 12, 2026 11:30
✍️ Technical Analysis Published: From Python to Bun - Cross-Runtime Attack Chain Analysis of the Shai-Hulud Hades MistEye has uncovered a new Shai-Hulud Hades variant targeting PyPI with a novel cross-runtime attack chain. Malicious packages (e.g. openai_mcp-2.41.2, bramin-0.0.4) drop .pth files that auto-execute on Python interpreter startup. The payload silently checks for the Bun runtime — if absent, it downloads the official Bun binary from GitHub Releases, then executes a multi-layer obfuscated JavaScript payload (_index.js) for credential theft and post-exploitation. This variant shares the same RSA public keys and infrastructure as previous Shai-Hulud campaigns (including the recent Red Hat Cloud Services npm poisoning). Key capabilities include: 🔹 GitHub PAT / npm / AWS / cloud credential harvesting 🔹 Encrypted exfiltration (RSA-OAEP) 🔹 Persistence via systemd/launchd + workspace propagation 🔹 CI/CD & GitHub Actions injection 🔹 AI-evasion via WMD-themed decoy comments 📖 Full technical analysis: https://slowmist.medium.com/threat-intelligence-from-python-to-bun-cross-runtime-attack-chain-analysis-of-the-shai-hulud-hades-7e5580b8be37(SlowMist)
+6
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads