Recent research by SlowMist has identified two significant supply chain poisoning incidents within the Python Package Index (PyPI) ecosystem. These incidents involved the distribution of malicious Python packages that executed harmful code during the startup of the Python interpreter.
What Happened
The malicious packages, named openai_mcp-2.41.2-py3-none-any.whl and bramin-0.0.4-py3-none-any.whl, were designed to impersonate legitimate software. The openai_mcp package masqueraded as the official OpenAI Python SDK, while bramin presented itself as a pipeline operator library. Both packages utilized a .pth file to trigger the execution of malicious code automatically upon Python interpreter startup.
On-Chain and Web Evidence
The analysis revealed that both packages shared a common attack framework characterized by several key features. Upon installation, a malicious .pth file is created in the site-packages directory. This file executes embedded Python code that checks for the presence of the Bun runtime, downloading it if necessary, and subsequently executes a multi-layer obfuscated JavaScript payload.
The malicious logic within these packages was confirmed to overlap across three dimensions: cryptographic materials, command-and-control (C2) code, and post-exploitation assets. Specifically, three RSA public keys were identified as identical across both samples, indicating a shared operational infrastructure.
Why It Matters
The implications of these findings are significant for developers and organizations relying on Python packages. The use of brand impersonation and sophisticated evasion techniques, such as embedding sensitive content to disrupt AI-based security analysis, highlights the need for enhanced vigilance.
Organizations should take immediate action by investigating their Python environments for the presence of the identified malicious packages and associated artifacts. It is critical to revoke any compromised credentials, audit GitHub repositories for unusual activity, and prioritize rebuilding affected systems to ensure a clean environment.
Furthermore, security practices should evolve to include monitoring for unexpected GitHub API usage and treating non-executable content with caution during analysis. As supply chain attacks become more sophisticated, proactive measures are essential to mitigate risks.
Automated TrustSniffer Intelligence — grounded, attributed analysis of public on-chain and web data.
Run any crypto address or domain through the TrustSniffer risk engine.
