- What: Attackers compromised 19 PyPI packages with 37 malicious wheel artifacts that auto-execute during Python startup using *-setup.pth files to deploy a Bun-powered JavaScript credential stealer.
- Impact: The malware harvests secrets from GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, CircleCI, JFrog, SSH keys, and CI/CD pipelines while spreading laterally via OIDC exploitation and installing a wiper that triggers on token revocation.
- Fix / mitigation: Audit dependencies for the 19 listed packages and versions, scan for *-setup.pth files in installed wheels, and implement strict package pinning with hash verification for all PyPI dependencies.
- Who's at risk: Python developers, DevOps engineers, CI/CD pipeline operators, and organizations using computational biology packages like embiggen, ensmallen, and gpsea are at immediate risk.
The Hades campaign represents the latest evolution of the Mini Shai-Hulud and Miasma supply chain attacks, with threat actors deploying 37 malicious wheel artifacts across 19 packages in the Python Package Index. This iteration introduces a critical shift in execution technique: using *-setup.pth files to achieve automatic code execution during Python interpreter startup, eliminating the need for victims to import the poisoned package.
Socket researchers identified the compromise chain beginning with seemingly legitimate package updates. The malicious releases shipped a *-setup.pth file processed by Python's 'site' module during interpreter startup. This file automatically downloads the Bun JavaScript runtime from GitHub and executes a heavily obfuscated JavaScript payload named _index.js—all before any application code runs.
Zero-Interaction Execution Vector
The *-setup.pth technique represents a dangerous advancement in supply chain attacks. Traditional PyPI malware required developers to import or use the compromised package before malicious code executed. Hades bypasses this entirely. The Python interpreter automatically processes .pth files during startup, creating an execution edge the moment the package is installed via pip.
Socket researchers noted this mirrors the npm install-hook problem exploited in earlier Shai-Hulud and Miasma campaigns: 'The syntax is different, but the security consequence is the same: dependency installation creates an execution edge before application code is reviewed or invoked.' This makes manual code review and sandboxing significantly less effective as defensive measures.
The 19 confirmed malicious packages include bramin (0.0.2-0.0.4), cmd2func (0.2.2-0.2.3), coolbox (0.4.1-0.4.2), dynamo-release (1.5.4), executor-engine (0.3.4-0.3.5), executor-http (0.1.3-0.1.4), funcdesc (0.2.2-0.2.3), magique (0.6.8-0.6.9), magique-ai (0.4.4-0.4.5), mrbios (0.1.1-0.1.2), napari-ufish (0.0.2-0.0.3), nucbox (0.1.2-0.1.3), okite (0.0.7-0.0.8), pantheon-agents (0.6.1-0.6.2), pantheon-toolsets (0.5.5-0.5.6), spateo-release (1.1.2), synago (0.1.1-0.1.2), ufish (0.1.2-0.1.3), and uprobe (0.1.3-0.1.4).
Comprehensive Credential Harvesting
Once executed, the JavaScript payload conducts systematic credential theft across developer environments. The stealer targets secrets from GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, and Kubernetes. It also harvests Docker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, and Claude MCP configurations—essentially any credential accessible in local or CI/CD runner environments.
Exfiltrated data is uploaded to GitHub repositories with descriptions like 'Hades - The End for the Damned' and 'Hades * The End for the Damned,' marking a rebranding from earlier Miasma campaign markers. This GitHub-centric exfiltration strategy helps the malware blend into legitimate developer traffic while providing attackers with version-controlled storage for stolen credentials.
Bioinformatics Cluster Uses Different Entry Point
A second cluster of compromised packages targeted the computational biology and bioinformatics ecosystem, including embiggen (0.11.97), ensmallen (0.8.101), gpsea (0.9.14), mflux-streamlit (0.0.3-0.0.4), nhmpy (2.4.7), ppkt2synergy (0.1.1), and pyphetools (0.9.120). These packages employed a different technique: embedding the entry point inside the package's __init__.py file as an obfuscated single-line import hook.
Despite the different initial access method, the outcome remains identical—downloading and executing the Bun runtime followed by JavaScript payload execution. StepSecurity noted that using Bun as a standalone ZIP file allows the malware to run complex JavaScript tasks in environments lacking Node.js installations, bypassing traditional package manager controls and network proxy logs.
AI Defense Evasion and Dynamic Payload Retrieval
Hades incorporates novel artificial intelligence defense evasion techniques. The malware includes plain-text prompt injection designed to deceive Large Language Model-based package analysis tools, attempting to instruct the model to classify the package as safe. This represents one of the first documented cases of supply chain malware specifically targeting AI-powered security scanning systems.
The malware also implements sophisticated dynamic payload retrieval. It queries GitHub commits for the keyword 'TheBeautifulSnadsOfTime' to extract Base64-encoded strings containing JavaScript payloads. It separately polls GitHub for commits matching 'firedalazer' to fetch and execute Python-based droppers. This approach allows attackers to update payloads without redeploying compromised packages.
Lateral Movement and OIDC Exploitation
Hades includes sophisticated post-compromise capabilities beyond simple credential theft. The malware replicates and spreads laterally across developer networks via SSH and SCP. It attempts to push trojanized versions of PyPI packages from compromised systems by exploiting developers' OpenID Connect trust configurations, potentially creating a cascading supply chain infection.
The malware targets GitHub repositories to extract organization secrets using GitHub Actions runners if harvested tokens have appropriate write permissions. Security researcher Rohan Prabhu highlighted a key advancement: 'The Hades Campaign introduces tailored macOS and Windows memory scrapers' beyond the earlier Linux-only /proc/{pid}/mem technique for reading GitHub Actions runner process memory.
Hades backdoors local workspace folders to trigger code execution when analyzed by AI assistants or opened in IDEs. Targeted platforms include Anthropic Claude, OpenAI Codex, Google Gemini, Microsoft Copilot, Cline, Aider, Tabby, Amazon Q, Cody, Bolt, and Continue. This creates persistence mechanisms that activate during routine development workflows.
Destructive Wiper Capability
One of the most alarming features in Hades is a background service named 'gh-token-monitor' that functions as a wiper. If a stolen GitHub token is revoked by the developer—indicating detection or remediation attempts—the service executes 'rm -rf ~/; rm -rf ~/Documents', destroying all user data. This scorched-earth tactic punishes incident response and complicates forensic investigation.
The inclusion of Russian locale checks suggests threat actor operational security measures to avoid domestic targeting, consistent with attribution patterns seen in previous Shai-Hulud and Miasma campaigns. The malware exits without executing if it detects a Russian system configuration.
Mitigation and Detection Recommendations
Organizations should immediately audit all Python environments for the 19 confirmed malicious packages and their specific versions. Scan installed wheels for *-setup.pth files, which should be rare in legitimate packages. Implement strict package pinning with cryptographic hash verification for all PyPI dependencies in requirements files and CI/CD pipelines.
Monitor for unexpected Bun runtime downloads from GitHub, particularly in Python-only environments. Review GitHub Actions logs for unauthorized secret access or repository modifications. Rotate credentials for any system where compromised packages were installed, prioritizing GitHub tokens, cloud provider keys, and CI/CD secrets. Implement least-privilege access controls for PyPI publishing tokens and restrict OIDC trust relationships.
- Audit Python environments for all 19 compromised packages across 37 malicious versions
- Scan for unauthorized *-setup.pth files in site-packages directories
- Monitor network traffic for Bun runtime downloads from GitHub releases
- Review GitHub Actions audit logs for unauthorized secret access attempts
- Rotate all credentials on systems where malicious packages were installed
- Implement hash-based dependency pinning in requirements.txt and Pipfile.lock
- Restrict PyPI OIDC publishing workflows to dedicated isolated runners
- Deploy file integrity monitoring for .env, .npmrc, .pypirc, and SSH key files
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us