bun

If not, it downloads the legitimate Bun runtime v1.3.13, and then executes the second-stage payload

The worm propagation logic mirrors Bitwarden attack with the same sequence: read npm tokens from .npmrc and the environment, validate each token, enumerate all packages the token can publish, inject the dropper into each package's preinstall hook, and republish as package-updated.tgz using Bun's native publish API.

The preinstall hook runs setup.mjs on every npm install mbt.

Step 1 — init.py spawns a background subprocess on import... subprocess.Popen([sys.executable, _start], cwd=_runtime_dir, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js.

Native extension import trigger — Malicious code is embedded directly inside compiled .abi3.so extensions. The Python source appears clean, but the extension executes _index.js the moment Python loads the module via dlopen()

contains a hidden execution chain that silently downloads a JavaScript runtime (Bun) and executes an 11.4 MB heavily obfuscated JavaScript payload upon import lightning

.pth startup-hook pattern — A malicious wheel bundles a *-setup.pth file alongside _index.js. The hook fires during Python startup, silently downloads the Bun JavaScript runtime, and executes the obfuscated stealer payload.

The first branch is the .pth startup-hook pattern. A malicious wheel contains a *-setup.pth file and a bundled _index.js. The .pth hook runs during Python startup, downloads Bun if needed, and runs the JavaScript payload.

The first branch is the .pth startup-hook pattern. A malicious wheel contains a *-setup.pth file and a bundled _index.js. The .pth hook runs during Python startup, downloads Bun if needed, and runs the JavaScript payload.

The 4.29 MB index.js dropper uses layered obfuscation, beginning with a large character-code array reconstructed at runtime, decoded through a ROT-XX (Caesar cipher) transformation, and dynamically executed via eval().

Staged unpacking: The payload is unpacked through multiple decoding layers, including several ROT (rotate)-based obfuscation variants followed by AES-128-GCM decryption.

.pth startup-hook pattern — A malicious wheel bundles a *-setup.pth file alongside _index.js. The hook fires during Python startup, silently downloads the Bun JavaScript runtime, and executes the obfuscated stealer payload.

Specifically, the program targets cloud infrastructure tokens across multiple developer environments. The payload queries the local Amazon Web Services metadata endpoints to steal container roles.

It searches for authorization keys inside the host environment variables. Furthermore, the binary attempts to steal npm publish tokens to widen the npm supply chain attack.

Additionally, it extracts sensitive configuration secrets across 16 distinct AWS regions. In addition, the malware targets secrets stored inside HashiCorp Vault environments.

The loader retrieves a legitimate Bun bundle directly from GitHub to execute a pre-bundled file hidden inside the tarball.

The bootstrapper... fetches https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/ .zip from GitHub's official release CDN.