PyPI supply-chain poison: Python .pth dey trigger backdoors for Bun/JS

Security researchers for SlowMist report say two PyPI supply-chain poisoning incidentswey use malicious Python wheels and .pth wey dey auto-run when Python interpreter dey start. Di samples dem analyse—openai_mcp-2.41.2 and bramin-0.0.4—fake like legitimate libraries for AI/MCP ecosystem and pipeline tooling, but dem share di same malware framework. Main mechanism: after install, one .pth file dey run at Python startup, e check for Bun runtime, if e no dey e download Bun from GitHub Releases, then e run obfuscated JavaScript payload (multi-layer decoding plus AES-128-GCM decrypted stages). Researchers confirm say cryptographic materials and infrastructure overlap for both variants: three identical 4096-bit RSA public keys, same C2 verification and encryption logic, and shared post-exploitation components (persistence, workspace propagation, memory/runner process extraction, and CI/workflow secret targeting). One variant (openai_mcp) put AI “jailbreak” decoy text inside _index.js to disturb automated analysis, while bramin’s decrypted layers show wider credential targeting like GitHub PATs, npm/registry tokens, bearer tokens, AWS credentials, SSH keys, and more. Actor correlation strong because dem reuse same RSA key ecosystem and code paths, showing shared operator cluster. SlowMist’s MistEye monitoring push high-severity alerts and add IOCs to im database.