—

PYSEC-2026-582

Malicious code in mflux-streamlit (PyPI)

상세

Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of mflux-streamlit were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload (via the Bun runtime) on import that harvests and exfiltrates credentials and attempts self-propagation. This entry is a summary; behavior may not be fully characterized here. See the linked references for detailed analysis and indicators of compromise.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / mflux-streamlit

No fixed version published yet for mflux-streamlit (pip). Pin to a known-safe version or switch to an alternative.

참고

https://inspector.pypi.io/project/mflux-streamlit/0.0.3/packages/55/aa/ed575e2fa490de397e5d5c017b1093c8439f6718db903f0fc2d5300ae5c9/mflux_streamlit-0.0.3-py3-none-any.whl/mflux_streamlit-setup.pth [EVIDENCE]
https://inspector.pypi.io/project/mflux-streamlit/0.0.4/packages/59/7d/442dea3530fbfceaee95cf549bbc668cdba6d317e2ede244a2fd327f79ec/mflux_streamlit-0.0.4-py3-none-any.whl//mflux_streamlit-setup.pth [EVIDENCE]
https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages [ARTICLE]
https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages [ARTICLE]