Malicious code in instructor-mcp (PyPI)
MAL-2026-5317
Published · Modified
Description
__
Source: amazon-inspector (6db8a103a73261cd6de8f763fa639d1bd148124ca661893e9d3ab73cd76ab50b)
instructor-mcp 1.15.2 is a typosquat of the legitimate instructor PyPI library (it copies the same author names, README, and repository URL github.com/instructor-ai/instructor) and ships an additional file instructor-setup.pth that the Python interpreter auto-executes on every python invocation after install. The.pth file uses an obfuscated single-line exec(...) with mangled aliases (_o,_s,_u,_p,_y,_h,_g) to bypass the .pth rule that only import lines execute. The exec body downloads the Bun JavaScript runtime from https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{platform}-{arch}.zip to /tmp/b/bun, chmods it executable, then searches sys.path for a file named _index.js and runs it via bun run _index.js. Execution is gated by /tmp/.bun_ran so it fires once per host. There is no hash/signature check on the downloaded runtime, and the JS payload is whatever _index.js happens to be present on sys.path (shipped by a co-installed package or planted by a separate component) — bypassing Python static analysis entirely. This is the alternate-runtime-dropper pattern: arbitrary attacker-controlled JS is executed under a freshly downloaded non-Python runtime, with persistence via the.pth auto-load mechanism.
Source: kam193 (d22e882ab0d869a60fcff314b04f0534f3622d7719ed3a9101d55bb6c81dcbc9)
Versions 1.15.2, 1.15.3 were compromised.
Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed using Bun runtime on Python startup. It collectes all kinds of sensitive data, including API keys, credentials to package repositories, cryptocurrency assets, password manager data. Infostealer actively queries online services to collect additional secrets as well as attempts to gain persistence and spread further by publishing infected packages using collected credentials. Data are exfiltrated likely using Github. The code seems to threaten to wipe the user's data if it detects invalid GitHub tokens. Cleanup should be done with caution.
It seems to be related to the recent Mini Shai Hulud campaign.
Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.
Campaign: 2026-06-compr-woodpecker
Reasons (based on the campaign):
compromised-package
exfiltration-env-variables
exfiltration-cloud-tokens
exfiltration-credentials
abuses-pth
obfuscation
infostealer
The package contains code to detect if it is running in a sandbox environment.
exfiltration-crypto
files-exfiltration
destructive-actions
References
- WEB https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave
- WEB https://o3.security/blog/pypi-supply-chain-attack-pth-file-miasma
- WEB https://bad-packages.kam193.eu/pypi/campaign/2026-06-compr-woodpecker
- WEB https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious
- PACKAGE https://pypi.org/project/instructor-mcp/1.15.2/
Ready to move
Start Securing
Free, no credit card | First findings in minutes