Embedded Malicious Code (Shai-Hulud)
This package was identified by GitLab's Vulnerability Research team as part of a coordinated Shai-Hulud copycat supply chain attack on PyPI on June 7, 2026. The package mflux-streamlit was weaponized by someone with maintainer access to include malicious code alongside previously clean releases. Versions 0.0.3 and 0.0.4 contain a .pth file that auto-executes on Python startup, downloads the Bun JavaScript runtime, and runs an obfuscated credential stealer targeting GitHub, AWS, …