Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter - StepSecurity
Customers
Pricing
Resources
Company
Request a Demo<br>Login
Customers
Pricing
Resources
Company
Start Free
Login
Back to Blog
Threat Intel
Pythagora-io/gpt-pilot Compromised on GitHub - Shai-Hulud Credential Stealer Blocked by Python Linter
An attacker hijacked a co-founder's GitHub account for gpt-pilot, a 33K-star AI coding tool, and force-pushed a credential-stealing Shai-Hulud payload to the main branch. The ruff Python linter caught formatting and lint violations in the malicious code and blocked the CI build -- twice. The attacker gave up.
Ashish Kurmi<br>View LinkedIn
June 8, 2026
Share on X<br>Share on X<br>Share on LinkedIn<br>Share on Facebook<br>Follow our RSS feed
Table of Contents
Loading nav...
On June 8, 2026, an attacker compromised a co-founder's GitHub account for Pythagora-io/gpt-pilot, a popular open-source AI developer tool with 33,700+ GitHub stars and 3,500+ forks, and force-pushed a credential-stealing payload to the main branch. Marketed as "the first real AI developer," gpt-pilot is widely used by developers building AI-assisted coding workflows. The malware, a variant of the Shai-Hulud worm, was stopped by an unlikely defender: ruff, a Python code formatter. The attacker tried twice to get the malicious code past CI and failed both times because their injected Python file did not match the project's formatting and linting rules. The same malware family has successfully infected projects maintained by Microsoft, Red Hat, and Mistral AI this year.<br>The payload hidden inside the repository was not a simple backdoor. It is a 758KB obfuscated JavaScript credential stealer that targets AWS keys, npm tokens, GitHub secrets, Kubernetes service accounts, HashiCorp Vault tokens, and SSH keys. It uses GitHub commit messages as a covert command-and-control channel, exfiltrates stolen credentials by creating GitHub repositories and committing data as files, and can sign and publish malicious npm packages with valid SLSA Build Level 3 attestations via Sigstore. It even plants persistence hooks in Claude Code and VS Code so that future coding sessions re-execute the malware.<br>We have responsibly disclosed the compromise to the maintainers.<br>Attack Timeline
Timestamp (UTC)<br>Event
2025-08-24 20:37Malicious "Revert" commit authored and backdated to match a legitimate revert by Zvonimir Sabljic. The commit adds _hooks.py, _runtime.bin, and modifies __init__.py in core/telemetry/.<br>2026-06-08 11:01:38First force push to main via the compromised LeonOstrez account. The clean commit chain (53154df1c66b) is replaced with the malicious chain (90f59f5de681). No branch protection rules were configured on main.<br>2026-06-08 11:02:07CI fails. ruff format --check catches a formatting violation in _hooks.py line 59. All 6 CI jobs (3 Python versions x 2 OS variants) fail. CI run #27133204878.<br>2026-06-08 11:13:07Second force push. The attacker fixes the formatting issue and retries.<br>2026-06-08 11:13:38CI fails again. ruff check catches E402 (module-level import not at top of file) and I001 (unsorted imports) in __init__.py line 399. All 6 CI jobs fail again.<br>2026-06-08 ~11:30Community member reports the compromise via GitHub issue #1181.<br>2026-06-08 ~12:00Issue #1181 is deleted (now returns HTTP 410). Likely deleted by the compromised LeonOstrez account to suppress disclosure.
How the Attack Works<br>Step 1 - Account Compromise and Force Push<br>The attacker gained control of the LeonOstrez GitHub account, a Pythagora co-founder and repository maintainer. The repository had no branch protection rules on the main branch -- the GitHub API returns a 404 for /repos/Pythagora-io/gpt-pilot/branches/main/protection. This allowed the attacker to force-push directly to main without any review or approval.<br>The force push replaced the entire commit history. GitHub's push event log captures the rewrite:<br># Push event 1 - clean history replaced with malicious chain<br>11:01:38Z LeonOstrez before:53154df1c66b head:90f59f5de681
# Push event 2 - attacker retries after CI failure<br>11:13:07Z LeonOstrez before:90f59f5de681 head:a372904facd5Step 2 - The Trojan Commit<br>The core of the attack was a commit titled "Revert 'Implemented weekend discount'" -- an innocuous-sounding change that appeared to simply undo a promotional code update. The attacker created two versions of this commit with identical metadata (same message, same author name, same timestamp of 2025-08-24 20:37:44):
Version<br>SHA<br>Changes
Clean566fbb12Only reverts frontend.py and spec_writer.py<br>Malicious065ee8ebSame reverts plus adds _hooks.py, _runtime.bin, and modifies __init__.py
By backdating the malicious commit to August 2025, the attacker made it nearly invisible in a casual commit history review. The commit would appear to be months old, long before the actual compromise.
Step 3 - The Malware Components<br>Three files were injected into...