SlowMist’s security team reported a Shai-Hulud Hades variant attack in the PyPI ecosystem involving the malicious packages openai_mcp-2.41.2 and bramin-0.0.4. According to Foresight News, the two packages use a .pth file to trigger automatically when the Python interpreter starts.
SlowMist said the code silently downloads the Bun runtime and then executes a multi-layer obfuscated JavaScript payload. The payload is designed to steal credentials including GitHub personal access tokens, npm credentials, and AWS and other cloud credentials, and to exfiltrate data using RSA-OAEP encryption.
The team said the malware also includes persistence mechanisms, supports CI/CD injection, and embeds content related to weapons of mass destruction ahead of the malicious code to interfere with AI-based security scanning.
SlowMist said it confirmed the attack shares the same RSA public key and infrastructure as a previous Red Hat Cloud Services npm poisoning incident.