Skip to content
Tech News
← Back to articles

'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud

2026-06-08 | original
read original more articles

Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, attackers embraced a "Hades" naming convention as they continue to plague the open source developer ecosystem.

New research from Socket detailed a fresh wave of attacks featuring a variant of the Shai-Hulud worm, which has targeted npm and PyPI code packages since last September. The latest campaign compromised 37 malicious PyPI wheels across 19 packages, according to a blog post by the Socket Research Team published Sunday.

"At the time of writing, PyPI had already quarantined a number of the affected releases; we reported the remaining ones to the PyPI security team," the blog post.

Trademarks of Shai-Hulud Attacks

Shai-Hulud is a self-propagating, info-stealing malware that infects software components, uses the access to publish poisoned versions, and then harvests the repository accounts of those affected by the malware downstream.

Related:Coding Gaffe Exposes Microsoft 365 Accounts to Widespread Takeover

Socket quickly identified the tradecraft of the latest Mini Shai-Hulud infections as "unmistakably Shai-hulud/Miasma" — the latter term referring to a recent wave of infections targeting npm packages associated with Red Hat Cloud Services in which researchers identified dozens of the packages carrying a variant of the worm called Miasma. according to the post.

The latest infections demonstrated a clear link to Shai-Hulud mainly because of the attack chain's cross-runtime design, relying on the installation of Bun — a JavaScript runtime — as a heavily obfuscated JavaScript stealer before executing the payload.

Indeed, Shai-Hulud-style payloads do not assume Node.js, Python, or another local runtime will be available. Instead, they use Bun as the execution engine. "That behavior has shown up even in npm compromises, where Node.js would otherwise be the expected runtime," according to the post. The PyPI wave abuses Python .pth startup behavior to launch a Bun-powered JavaScript credential stealer targeting developer, cloud, package-publishing, and CI/CD secrets.

A Descent Into Hades

... continue reading

Explore topics: attacks hulud post pypi python
Related:
WWDC 2026 bonus live blog: Tech Talk with Craig Federighi
Target recalls baby wipes over fears of life-threatening bacteria and complaints of skin and eye irritation
Birds in Ukraine are building nests from discarded drone fiber-optic cables
How to Overcome Imposter Syndrome and Launch Your First Product with Confidence
Govee’s all-weather smart lamp post is under $200 for the first time

© 2026 GoKawiil

About | Editorial Policy | Contact