PT-2026-55191 · Pypi · Mrbios

Published

2026-06-30

·

Updated

2026-06-30

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08, malicious phantom releases of mrbios were published to PyPI using stolen credentials. The package executes a bundled JavaScript payload (via the Bun runtime) on import that harvests and exfiltrates credentials and attempts self-propagation. This entry is a summary; behavior may not be fully characterized here. See the linked references for detailed analysis and indicators of compromise.
Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-594

Affected Products

Mrbios