"The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js," Socket said.
Scope: 19 PyPI packages, 37 malicious wheels
Security researchers have identified a new wave of supply‑chain poisonings on the Python Package Index (PyPI) that Socket and other firms call the Hades campaign. The campaign comprises 37 malicious wheel artifacts distributed across 19 packages and multiple versions. The affected packages and their poisoned versions include:
- bramin 0.0.2, 0.0.3, 0.0.4
- cmd2func 0.2.2, 0.2.3
- coolbox 0.4.1, 0.4.2
- dynamo-release 1.5.4
- executor-engine 0.3.4, 0.3.5
- executor-http 0.1.3, 0.1.4
- funcdesc 0.2.2, 0.2.3
- magique 0.6.8, 0.6.9
- magique-ai 0.4.4, 0.4.5
- mrbios 0.1.1, 0.1.2
- napari-ufish 0.0.2, 0.0.3
- nucbox 0.1.2, 0.1.3
- okite 0.0.7, 0.0.8
- pantheon-agents 0.6.1, 0.6.2
- pantheon-toolsets 0.5.5, 0.5.6
- spateo-release 1.1.2
- synago 0.1.1, 0.1.2
- ufish 0.1.2, 0.1.3
- uprobe 0.1.3, 0.1.4
Technique: execution at install via setup.pth and Bun-powered JavaScript stealer
Hades reuses a familiar playbook from the Mini Shai‑Hulud and Miasma campaigns but adapts it for Python. Socket highlighted that the poisoned releases include a "*-setup.pth" file processed by Python's "site" module during interpreter startup, which causes the malicious payload to run automatically after installation without requiring the package to be imported. The payload downloads the Bun JavaScript runtime from GitHub and executes a heavily obfuscated JavaScript stealer named _index.js.
Socket summarized the relationship to earlier activity: "That makes Hades best understood as a PyPI branch of the same Mini Shai‑Hulud / Miasma lineage, not a standalone Python malware incident." As with earlier waves, the Bun runtime is used to run complex JavaScript workloads in environments that may lack Node.js.
Targets and exfiltration: developer and CI/CD credentials, GitHub‑centric staging
The stealer is designed to harvest an extensive set of developer and CI/CD credentials. According to the reporting, the malware looks for secrets tied to GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, and Kubernetes, and it also seeks Docker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, Claude/MCP configurations, and other local or runner‑accessible credentials. Earlier Miasma iterations exported harvested data to public GitHub repositories described as "Miasma: The Spreading Blight"; the Hades wave instead used repository descriptions such as "Hades - The End for the Damned" and "Hades * The End for the Damned."
AI evasion, GitHub payload plumbing, and expanded memory scraping
StepSecurity reported several novel characteristics in the Hades cluster. Some packages in computational biology and bioinformatics—embiggen, ensmallen, gpsea, mflux‑streamlit, nhmpy, ppkt2synergy, and pyphetools—embed an entry point inside the package's __init__.py as an obfuscated single‑line import hook, but the result is the same: Bun is downloaded and the JavaScript payload is executed.
StepSecurity also described a layered evasion strategy: the malware includes a plain‑text prompt injection that attempts to deceive Large Language Model (LLM)‑based package analysis tools into classifying the package as safe. The malware fetches additional payloads from GitHub commits by searching for keywords such as "TheBeautifulSnadsOfTime" (to extract a Base64‑encoded JavaScript payload) and "firedalazer" (to retrieve a Python dropper), then executes the retrieved code.
Rohan Prabhu noted an operational escalation: earlier process‑memory scraping targeted Linux /proc/{{pid}}/mem, but "The Hades Campaign introduces tailored macOS and Windows memory scrapers." That broadens the environments from which secrets can be harvested, including GitHub Actions runners by reading the Runner.Worker process memory when possible.
Capabilities that change the risk model for developers and CI
Hades combines credential theft with active propagation and destructive mechanisms. The malware can replicate and spread laterally using SSH or SCP; push trojanized PyPI packages by exploiting developers' OpenID Connect (OIDC) trust; target GitHub repositories to extract organization secrets via Actions runners if a harvested token has write permissions; and backdoor local workspace folders so that opening projects or AI assistant analysis can trigger execution. The malware also installs a background service named "gh-token-monitor" that will remove local data ("rm -rf ~/; rm -rf ~/Documents") if a stolen GitHub token is revoked.
StepSecurity tied the campaign to a concrete incident: an unknown attacker compromised the "LeonOstrez" GitHub account linked to "Pythagora-io/gpt-pilot" and force‑pushed a Shai‑Hulud variant to the main branch. Ashish Kurmi said the malicious change was stopped because it failed the project's formatting and linting rules enforced by ruff.
What this means for developers, GitHub Actions runners, and package maintainers
- Developers and CI operators: the attack shows code can execute during interpreter startup via setup.pth or hidden import hooks—installing a package is not necessarily safe without review.
- GitHub Actions runners and organizations using OIDC: harvested tokens with write permissions can be used to exfiltrate and push poisoned packages, amplifying supply‑chain risk.
- Package maintainers and registries: the lineage pattern demonstrates that signing keys and authenticated maintainer accounts do not, by themselves, prevent abuse when upstream repositories or accounts are compromised, as Cloudsmith warned.
Snyk characterized Hades as a continuation of the Shai‑Hulud / Miasma lineage, combining "new persistence, new exfiltration routes, and new ways to fire code automatically at install or build time." The technical details in Socket's and StepSecurity's analyses show the campaign is a refinement rather than a reinvention—shifting execution primitives to Python's startup path while retaining Bun‑based JavaScript theft and GitHub‑centric staging.
Link to original reporting: https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html
