Recent PyPI ecosystem witnessed two consecutive supply chain poisoning incidents leveraging malicious Python wheel packages. Attackers published packages such as openai_mcp-2.41.2 (masquerading as OpenAI SDK) and bramin-0.0.4 (disguised as pipeline operator) to deploy backdoors via .pth files. These files automatically execute malicious code during Python interpreter startup, downloading and executing a JavaScript payload via the Bun runtime. Both samples share the same cryptographic materials, C2 infrastructure, and post-exploitation modules, indicating a unified attack framework. The malicious packages employ brand impersonation, AI jailbreak decoy text, and multi-layer obfuscation to evade detection. SlowMist's MistEye system detected and alerted on these attacks, integrating IOCs into its threat intelligence database. The attacks specifically target AI/MCP developers and bioinformatics communities, compromising credentials, establishing persistence, and enabling remote command execution.

Key facts

• Two PyPI supply chain attacks use .pth files for automatic code execution
• Malicious packages mimic OpenAI SDK and pipeline operator
• Same cryptographic keys, C2 channels, and payloads across both incidents
• JavaScript payload executed via Bun runtime with multi-layer obfuscation
• AI jailbreak decoy text used to evade AI-based security scanners

KeyAudit data perspective