OPEN LINK ↗
// 1h agoSECURITY INCIDENT
Malware campaign targets bioinformatics, MCP developers
Socket has identified 23 newly compromised PyPI packages in a malware campaign targeting bioinformatics and Model Context Protocol (MCP) developers using native compiled extensions and covert startup hooks. The packages dynamically execute JavaScript stealers using a bootstrapped Bun runtime and harvest credentials, SSH keys, and cloud secrets from local environments and CI/CD pipelines.
// ANALYSIS
Attackers are weaponizing compiling pipelines and LLM safety filters, turning typical developer tools (like Bun and native extensions) and AI triage logic against the systems meant to protect them.
- –Native compiled extensions (.abi3.so) bypass traditional static source-code analysis, exploiting the common presence of compiled code in scientific and genomic libraries.
- –The use of .pth startup hooks decouples the loader from the payload, executing Bun dynamically to keep the wheel footprint small.
- –Embedding fake policy-violating prompts in comments directly targets LLM-first scanners, demonstrating a growing sophistication in anti-AI analysis techniques.
- –Compromising MCP (Model Context Protocol) packages highlights that developers building next-gen AI integrations are now prime targets for supply chain attacks.
// TAGS
pypisupply-chainmalwaresocketsecuritybioinformaticsmcppythonbun
DISCOVERED
1h ago
2026-06-08
PUBLISHED
2h ago
2026-06-08
RELEVANCE
8/ 10
AUTHOR
SocketSecurity