PyPI: 32 Malicious Packages Targeting AI and Data Science Tools Purged in Instant Takedown

Key findings

• A total of 32 malicious packages were simultaneously purged from PyPI on June 6, 2026, at 06:13 UTC.
• The campaign heavily targeted AI, machine learning, and Model Context Protocol (MCP) developer ecosystems.
• Targeted packages include langchain-core-mcp, ray-mcp-server, instructor-mcp, and mflux-streamlit.
• High-impact targets like cmd2func and embiggen draw hundreds to thousands of weekly downloads.
• Security teams advise immediate credential rotation, especially for LLM and cloud provider API keys.

On June 6, 2026, security researchers and registry administrators executed a massive, synchronized cleanup on the Python Package Index (PyPI), disclosing and removing 32 malicious packages at the exact same instant. Landing at 06:13 UTC, this highly coordinated sweep indicates a single, unified campaign designed to infiltrate developer environments. Rather than relying on a shared naming prefix or scope, the threat actors behind this push targeted a highly specific vertical: the rapidly growing artificial intelligence, machine learning, and Model Context Protocol (MCP) ecosystems.

The campaign's targeting strategy is evident in the naming of the malicious uploads. Multiple packages directly impersonate or target emerging tools in the LLM and AI orchestration space. Among the purged files were langchain-core-mcp (versions 1.4.2 and 1.4.3), ray-mcp-server (version 0.2.1), and instructor-mcp (versions 1.15.2 and 1.15.3). By focusing on Model Context Protocol utilities, the attackers aimed to intercept environments where sensitive LLM configurations, API keys, and proprietary data sources are actively integrated. Other notable AI-themed targets included mflux-streamlit (versions 0.0.3 and 0.0.4) and dreamgen (version 1.8.1).

In addition to cutting-edge AI tools, the campaign cast a wider net across popular data science and utility libraries. The actors uploaded malicious versions of graph and data manipulation libraries, such as embiggen version 0.11.97 (which legitimate versions draw 902 weekly downloads) and ensmallen version 0.8.101. They also targeted utility packages like cmd2func versions 0.2.2 and 0.2.3, which commands a significant install base of 2.3k weekly downloads, and executor-engine versions 0.3.4 and 0.3.5, drawing 870 weekly downloads. This mix of high-utility targets suggests an attempt to maximize exposure across both specialized AI developers and general Python software engineers.

While specific behavioral analysis from OpenSSF Package Analysis was not detailed for every package, the unified delivery mechanism and simultaneous takedown point to a classic dependency hijacking or typosquatting operation. Malicious packages of this nature typically leverage setup scripts (setup.py) or post-install hooks to execute arbitrary code immediately upon installation. In an AI development context, such code execution is frequently used to exfiltrate environment variables, cloud provider credentials, and highly valuable API tokens for services like OpenAI, Anthropic, or Hugging Face.

The severity of these compromises cannot be overstated. Any development machine, build server, or production environment that installed these specific package versions must be treated as fully compromised. Because the malicious payloads execute with the privileges of the installing user, threat actors could easily establish persistent backdoors, harvest local SSH keys, or compromise downstream software builds.

Organizations are urged to immediately audit their dependency trees and build logs for any references to the affected packages. If any of these versions are found, security teams should immediately isolate the affected systems, rotate all environment secrets and API keys from an uncompromised machine, and inspect network logs for unauthorized outbound connections.