Embedded Malicious Code Affecting okite package, versions [0.0.7][0.0.8]
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-OKITE-17220145
- published7 Jun 2026
- disclosed6 Jun 2026
- creditSocket Research Team
Introduced: 6 Jun 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the okite package.
Overview
Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicious releases were published through a compromised maintainer account of a legitimate project as part of a broader credential theft campaign. The malicious functionality was not part of the original software and does not reflect the intent of the project's maintainers.
The malicious release abuses Python startup hooks (.pth files) to execute code automatically when Python starts, download additional payloads, and attempt to collect developer, cloud, CI/CD, and other sensitive credentials from affected systems. The main malicious payload is contained in _index.js, which runs on the javascript Bun runtime. The campaign targets a wide range of secrets, including source-control tokens, package publishing credentials, cloud access keys, SSH keys, and local configuration files.
Note:
Malicious versions may still be available on PyPI at the time of analysis; users should verify installed versions, remove affected releases where possible, and rotate any potentially exposed credentials.