Security researchers said in a technical analysis from Socket that a new Hades attack wave has poisoned 37 malicious wheel artifacts across 19 Python Package Index packages, extending the Miasma and Shai-Hulud supply chain campaign into PyPI.
KEY FACTS
- Scope 37 malicious wheel artifacts were found in 19 PyPI packages.
- Delivery The compromised releases used a *-setup.pth file or an __init__.py import hook to run at install or startup time.
- Payload The code downloaded the Bun JavaScript runtime and launched an obfuscated JavaScript stealer.
- Targets The malware sought credentials and secrets tied to GitHub, npm, PyPI, cloud services and developer tools.
- Marker Public GitHub repositories were labeled with descriptions such as Hades – The End for the Damned.
The affected packages include bramin, cmd2func, coolbox, dynamo-release, executor-engine, executor-http, funcdesc, magique, magique-ai, mrbios, napari-ufish, nucbox, okite, pantheon-agents, pantheon-toolsets, spateo-release, synago, ufish and uprobe. The report said the malicious releases were built to execute before normal package use and to harvest data from developer systems.
The payload downloaded Bun from GitHub and then ran a JavaScript stealer that searched for GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure and Kubernetes secrets. It also looked for Docker configurations, Vault tokens, SSH keys, shell history files and local credential files such as .env, .npmrc and .pypirc.
Researchers said the campaign also included prompt injection text meant to mislead AI-based package scanners into classifying the code as safe. Other features described in the disclosure included GitHub commit keyword checks, lateral movement over SSH or SCP, attempts to backdoor workspace folders and a background service that could wipe files if a stolen GitHub token was revoked.
The broader activity follows earlier Shai-Hulud and Miasma incidents that used trusted package channels and GitHub-centric exfiltration. In a separate case, StepSecurity said a compromised GitHub account tied to the gpt-pilot project was used to push a variant of the worm, but formatting checks blocked the code from landing in CI.
WHY IT MATTERS
The incident shows how malicious code in a package registry can run before developers inspect or import it, which raises the risk of stolen credentials and downstream compromise in software build systems. It also shows that attackers are adapting delivery methods to bypass both security tools and package review workflows.