The **Miasma** supply chain campaign has escalated with a fresh attack wave named **Hades**, impacting the **Python Package Index (PyPI)** registry. This latest iteration involves 37 malicious wheel artifacts across 19 packages, further refining the 'Mini Shai-Hulud'-style attacks to target specific developer ecosystems. According to an analysis by **Socket**, the compromised releases included a `*-setup.pth` file. This file is designed to execute automatically during Python startup, downloading the **Bun** JavaScript runtime and subsequently launching an obfuscated JavaScript payload named `_index.js`. ### Identified Malicious Packages The following packages have been identified as part of the **Hades** campaign: * bramin 0.0.2, 0.0.3, 0.0.4 * cmd2func 0.2.2, 0.2.3 * coolbox 0.4.1, 0.4.2 * dynamo-release 1.5.4 * executor-engine 0.3.4, 0.3.5 * executor-http 0.1.3, 0.1.4 * funcdesc 0.2.2, 0.2.3 * magique 0.6.8, 0.6.9 * magique-ai 0.4.4, 0.4.5 * mrbios 0.1.1, 0.1.2 * napari-ufish 0.0.2, 0.0.3 * nucbox 0.1.2, 0.1.3 * okite 0.0.7, 0.0.8 * pantheon-agents 0.6.1, 0.6.2 * pantheon-toolsets 0.5.5, 0.5.6 * spateo-release 1.1.2 * synago 0.1.1, 0.1.2 * ufish 0.1.2, 0.1.3 * uprobe 0.1.3, 0.1.4 ### Evolving Payload and Exfiltration Consistent with previous **Shai-Hulud** and **Miasma** campaigns, the malicious payload downloads and installs the **Bun** JavaScript runtime. This runtime is then used to execute a heavily obfuscated JavaScript stealer, capable of exfiltrating a broad spectrum of data from developer systems. The stolen data includes secrets related to **GitHub**, **npm**, **PyPI**, **RubyGems**, **JFrog**, **CircleCI**, **Anthropic**, **AWS**, **GCP**, **Azure**, and **Kubernetes**. It also targets **Docker** configurations, **Vault** tokens, **SSH** keys, shell histories, `.env` files, `.npmrc` files, `.pypirc` files, **Claude**/**MCP** configurations, and other local or runner-accessible credentials. A key change in the **Hades** campaign is the exfiltration marker. While earlier iterations used **GitHub** repository descriptions like "Miasma: The Spreading Blight," the latest wave employs "Hades - The End for the Damned" or "Hades * The End for the Damned." **Socket** elaborates that **Hades** is a direct branch of the **Mini Shai-Hulud** / **Miasma** lineage, not a separate incident. The core methodology remains: abuse trusted package channels, execute before normal package use, stage a **Bun**-powered JavaScript payload, steal developer and CI/CD credentials, and utilize **GitHub**-centric exfiltration and propagation. ### Novel Execution Vector This time, the attackers are leveraging a `*-setup.pth` file, processed by Python's `site` module during interpreter startup. This allows the malicious payload to execute immediately after installation, without requiring the victim to explicitly import the poisoned package. The payload then downloads and runs **Bun** from **GitHub** to execute the stealer, but only after checking if the system's locale is Russian. **Socket** notes the parallel to the `npm install-hook` problem exploited in earlier **Shai-Hulud** and **Miasma** attacks, highlighting that while the syntax differs, the security implication — execution during dependency installation before code review — remains the same. ### Hades Cluster and AI Evasion The **Hades** campaign also compromised packages within the computational biology, bioinformatics, and genotype-phenotype analysis ecosystem, including: * embiggen 0.11.97 * ensmallen 0.8.101 * gpsea 0.9.14 * mflux-streamlit 0.0.3, 0.0.4 * nhmpy 2.4.7 * ppkt2synergy 0.1.1 * pyphetools 0.9.120 This cluster uses a distinct approach, embedding the entry point as an obfuscated single-line import hook within the package's `__init__.py` file. The outcome, however, is identical: downloading and running the **Bun** runtime followed by the JavaScript payload. **StepSecurity** emphasizes the consistent use of the **Bun** runtime. Downloading **Bun** as a standalone ZIP file enables the malware to execute complex JavaScript tasks in environments lacking a **Node.js** installation, thereby circumventing traditional package manager controls and network proxy logs. In a notable development, the malware incorporates a novel artificial intelligence (AI) defense evasion technique. It includes a plain-text prompt injection designed to mislead Large Language Model (**LLM**)-based package analysis tools into classifying the package as safe. Furthermore, the malware queries **GitHub** commits for the keyword "TheBeautifulSnadsOfTime" to extract a Base64-encoded JavaScript payload. It also polls **GitHub** for commits matching "firedalazer" to fetch and execute a Python-based dropper. ### Hades Malware Capabilities The **Hades** malware boasts several advanced features: * **Lateral Movement**: Replicates and spreads across developer networks via **SSH** or **SCP**, pushing trojanized **PyPI** packages from compromised systems by exploiting developers' **OpenID Connect (OIDC)** trust configurations. * **GitHub Repository Targeting**: Extracts organization secrets using **GitHub Actions** runners if the harvested **GitHub** token possesses appropriate write permissions. * **Workspace Backdooring**: Backdoors local workspace folders to trigger code execution when analyzed by AI assistants or opened in IDEs. Targets include **Anthropic Claude**, **OpenAI Codex**, **Google Gemini**, **Microsoft Copilot**, **Cline**, **Aider**, **Tabby**, **Amazon Q**, **Cody**, **Bolt**, and **Continue**. * **Wiper Functionality**: Installs a background service named "gh-token-monitor" that acts as a wiper, removing all data (`rm -rf ~/; rm -rf ~/Documents`) if the stolen **GitHub** token is revoked. Security researcher **Rohan Prabhu** highlights a key capability of the **Miasma** actor: reading the process memory of the **GitHub Actions** runner (the `Runner.Worker` process) to extract secrets. While initially limited to Linux systems using `/proc/{pid}/mem`, the **Hades** campaign introduces tailored **macOS** and **Windows** memory scrapers. ### Shai-Hulud Variant on GitHub This development coincides with **StepSecurity**'s revelation of an unknown attacker compromising the **GitHub** account ("LeonOstrez") linked to **Pythagora-io/gpt-pilot**, a popular open-source AI developer tool. The attacker force-pushed a variant of the **Shai-Hulud** credential-stealing worm to the main branch. This malware is designed to activate silently upon project execution by an unsuspecting developer, while avoiding systems with a Russian locale. **Ashish Kurmi**, co-founder and CTO of **StepSecurity**, noted that the malware was thwarted by **ruff**, a Python code formatter. The attacker's attempts to bypass CI failed twice because their injected Python file violated the project's formatting and linting rules. **Snyk** describes these attacks as part of the broader **Shai-Hulud** / **Miasma** lineage, with each wave leveraging a **Bun**-runtime obfuscated stealer combined with new persistence mechanisms, exfiltration routes, and automated code execution at install or build time. **Cloudsmith** warns that signed keys and authenticated maintainer accounts no longer guarantee absolute safety. When upstream registries and repositories are compromised, public code becomes a direct and potent vector for compromise.