Embedded Malicious Code (Shai-Hulud)
This package was identified by GitLab's Vulnerability Research team as part of a coordinated Shai-Hulud copycat supply chain attack on PyPI on June 7, 2026. The package rlask is a typosquat of the popular Flask web framework. It contains a .pth file that auto-executes on Python startup, downloads the Bun JavaScript runtime, and runs an obfuscated credential stealer targeting GitHub, AWS, Azure, GCP, HashiCorp Vault, NPM, PyPI, RubyGems, SSH keys, …