PyPI supply-chain poisoning: Python .pth triggers Bun/JS backdoors
Security researchers at SlowMist report two PyPI supply-chain poisoning incidents that use malicious Python wheels and .pth auto-execution during Python interpreter startup. The analysed samples—openai_mcp-2.41.2 and bramin-0.0.4—masquerade as legitimate libraries in the AI/MCP ecosystem and pipeline tooling, but share the same underlying malware framework. Key mechanism: after install, a .pth file runs at Python startup, checks for the Bun runtime, downloads Bun from GitHub Releases if missing, and executes an obfuscated JavaScript payload (multi-layer decoding plus AES-128-GCM decrypted stages). The researchers confirm overlapping cryptographic materials and infrastructure across both variants: three identical 4096-bit RSA public keys, the same C2 verification and encryption logic, and shared post-exploitation components (persistence, workspace propagation, memory/runner process extraction, and CI/workflow secret targeting). One variant (openai_mcp) uses AI “jailbreak” decoy text inside _index.js to disrupt automated analysis, while bramin’s decrypted layers show broader credential targeting, including GitHub PATs, npm/registry tokens, bearer tokens, AWS credentials, SSH keys, and more. The actor correlation is strengthened by the reuse of the same RSA key ecosystem and code paths, indicating a shared operator cluster. SlowMist’s MistEye monitoring system pushed high-severity alerts and added IOCs to its database.
Neutral
This is a cyber threat-intelligence update, not a direct protocol, ETF, or token-utility change. For crypto traders, the main effect is second-order risk sentiment: incidents of PyPI supply-chain poisoning can temporarily raise concerns about infrastructure security for web3 teams and custodians, potentially impacting short-term risk appetite. However, there is no mention of specific crypto assets, no on-chain impact, and no indication of exchange downtime or market-structure disruption. Historically, security advisories like this tend to produce limited, short-lived market noise unless they coincide with major platform failures or large thefts. Long-term, the relevance is more about operational security for builders and custodians rather than affecting token fundamentals, so overall market impact is likely neutral.