Pythagora's gpt-pilot Compromised by Shai-Hulud Credential Stealer; Blocked by Python Linter
Key Takeaways
- ▸Code quality tooling like linters and formatters provided an unexpected but critical security defense by rejecting malware that violated code standards, demonstrating that CI/CD validation layers can help mitigate supply-chain attacks
- ▸Open-source projects face elevated risks from maintainer account compromise; the absence of branch protection rules allowed direct force-pushes, bypassing code review and approval workflows
- ▸Shai-Hulud worm family uses sophisticated multi-layer obfuscation, covert C&C via GitHub, and targets the full spectrum of development secrets—from cloud infrastructure credentials to version control and deployment tokens
Summary
On June 8, 2026, an attacker compromised a co-founder's GitHub account for Pythagora-io/gpt-pilot, a widely-used open-source AI developer tool with over 33,700 GitHub stars, and force-pushed malicious code to the main branch. The absence of branch protection rules allowed the attacker to directly overwrite the repository's commit history with a Trojan commit backdated to August 2025. The malicious payload went undetected by standard security measures but was ultimately blocked by an unexpected defender: ruff, the project's Python code formatter and linter, which rejected the injected code for failing to conform to the project's formatting standards during the CI/CD pipeline.
The injected payload was a 758KB obfuscated JavaScript credential stealer—a variant of the Shai-Hulud worm family. The malware targets critical secrets including AWS keys, npm tokens, GitHub secrets, Kubernetes service accounts, HashiCorp Vault tokens, and SSH keys. It employs multiple obfuscation layers, uses GitHub commit messages as a covert command-and-control channel, exfiltrates stolen credentials by creating hidden GitHub repositories, and can sign and publish malicious npm packages with valid SLSA Build Level 3 attestations via Sigstore. The worm also installs persistence hooks in popular development tools like Claude Code and VS Code to ensure reactivation in future coding sessions.
The attacker attempted to deploy the malware twice; both attempts failed when the CI pipeline rejected the files for violating the project's linting and formatting rules. This incident underscores an emerging supply-chain attack pattern: the Shai-Hulud worm family has successfully compromised projects maintained by Microsoft, Red Hat, and Mistral AI this year. Pythagora's maintainers have been notified through responsible disclosure.
- Commit backdating and innocuous commit messages obscure malicious changes within a project's history, requiring security practices beyond conventional code review
- Supply-chain attacks on development infrastructure are accelerating; the same threat actor has successfully targeted major technology companies this year
