|
| 1 | +--- |
| 2 | +title: "PyPI and Shai-Hulud: Staying Secure Amid Emerging Threats" |
| 3 | +description: Shai-Hulud is a great worm, not yet a snake. Attack on npm ecosystem may have implications for PyPI. |
| 4 | +date: 2025-11-26 |
| 5 | +authors: |
| 6 | + - miketheman |
| 7 | +tags: |
| 8 | + - publishing |
| 9 | + - security |
| 10 | +meta: |
| 11 | + - name: fediverse:creator |
| 12 | + |
| 13 | +--- |
| 14 | + |
| 15 | +An attack on the npm ecosystem continues to evolve, exploiting compromised accounts to publish malicious packages. |
| 16 | +This campaign, dubbed _Shai-Hulud_, has targeted large volumes of packages in the JavaScript ecosystem, |
| 17 | +exfiltrating credentials to further propagate itself. |
| 18 | + |
| 19 | +**PyPI has not been exploited**, however some PyPI credentials were found exposed in compromised repositories. |
| 20 | +We've revoked these tokens as a precaution, there's no evidence they have been used maliciously. |
| 21 | +This post raises awareness about the attack and encourages proactive steps to secure your accounts, |
| 22 | +especially if you're using build platforms to publish packages to PyPI. |
| 23 | + |
| 24 | +<!-- more --> |
| 25 | + |
| 26 | +## How does this relate to PyPI? |
| 27 | + |
| 28 | +This week, a security researcher disclosed long-lived PyPI credentials exposed as part of the Shai-Hulud campaign. |
| 29 | +The credentials were found in GitHub repositories (stored as repository secrets), and were still valid. |
| 30 | +We saw an attack with insecure workflow settings for [Ultralytics in 2024](2024-12-11-ultralytics-attack-analysis.md). |
| 31 | + |
| 32 | +While the campaign primarily targets npm, some projects use [monorepo](https://en.wikipedia.org/wiki/Monorepo) setups, |
| 33 | +publishing both JavaScript packages to npmjs.com and Python packages to PyPI from the same repository. |
| 34 | +When attackers compromise these repositories, they can extract credentials for multiple platforms. |
| 35 | + |
| 36 | +We investigated the reported credentials and found they were associated with accounts that hadn't published recently. |
| 37 | +We've revoked these credentials and reached out to affected users to advise them to rotate any remaining tokens. |
| 38 | + |
| 39 | +## What can I do to protect my PyPI account? |
| 40 | + |
| 41 | +Here are security practices to protect your PyPI account: |
| 42 | + |
| 43 | +- **Use Trusted Publishing:** If you are using a build platform to publish packages to PyPI, |
| 44 | + consider using a [Trusted Publisher](https://docs.pypi.org/trusted-publishers/). |
| 45 | + This eliminates the need to manage long-lived authentication tokens, reducing the risk of credential exposure. |
| 46 | + Trusted Publishing uses short-lived, scoped tokens for each build, minimizing the impact of any potential compromise. |
| 47 | + This approach has [risen in popularity](2025-11-10-trusted-publishers-coming-to-orgs.md), |
| 48 | + with other registries like [Crates.io](https://crates.io/docs/trusted-publishing), |
| 49 | + [RubyGems](https://guides.rubygems.org/trusted-publishing/), |
| 50 | + and [npmjs.com](https://docs.npmjs.com/trusted-publishers) adopting similar models. |
| 51 | + |
| 52 | + When using GitHub Actions, consider layering in additional security measures, |
| 53 | + like requiring human approval via [GitHub Environments](https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments) before publishing. |
| 54 | + [This blog post from pyOpenSci](https://www.pyopensci.org/blog/python-packaging-security-publish-pypi.html) |
| 55 | + has detailed guidance on adding manual review steps to GitHub Actions workflows. |
| 56 | + |
| 57 | +- **Audit your workflows for misconfiguration:** Review your GitHub Actions workflows for any potential security issues. |
| 58 | + Tools like [zizmor](https://docs.zizmor.sh/) and [CodeQL](https://codeql.github.com/) |
| 59 | + can help identify vulnerabilities in your CI/CD pipelines. |
| 60 | + Adopt scanning as automated actions for the repository to catch future issues. |
| 61 | + |
| 62 | +- **Review your account activity:** Regularly check your PyPI account activity for any unauthorized actions. |
| 63 | + If you notice any suspicious activity, [report it to the PyPI security team](https://pypi.org/security/) immediately. |
| 64 | + |
| 65 | +Taking any of these steps helps mitigate the risk of compromise and keeps packages secure. |
| 66 | + |
| 67 | +## References |
| 68 | + |
| 69 | +Some blog posts covering the attack behaviors and mitigation steps: |
| 70 | + |
| 71 | +- [Aikido](https://www.aikido.dev/blog/shai-hulud-strikes-again-hitting-zapier-ensdomains) |
| 72 | +- [CISA](https://www.cisa.gov/news-events/alerts/2025/09/23/widespread-supply-chain-compromise-impacting-npm-ecosystem) |
| 73 | +- [Datadog](https://securitylabs.datadoghq.com/articles/shai-hulud-2.0-npm-worm/) |
| 74 | +- [HelixGuard](https://helixguard.ai/blog/malicious-sha1hulud-2025-11-24) |
| 75 | +- [ReversingLabs](https://www.reversinglabs.com/blog/shai-hulud-worm-npm) |
| 76 | +- [StepSecurity](https://www.stepsecurity.io/blog/sha1-hulud-the-second-coming-zapier-ens-domains-and-other-prominent-npm-packages-compromised) |
| 77 | +- [Wiz](https://www.wiz.io/blog/shai-hulud-2-0-ongoing-supply-chain-attack) |
0 commit comments