Hades PyPI Attack Poisons 19 Packages with Bun-Powered Credential Stealer

A new supply chain offensive dubbed Hades has compromised 19 packages in the Python Package Index (PyPI), deploying 37 malicious wheel artifacts that silently install a Bun-based credential stealer on developer systems. Researchers at Socket traced the campaign to the same threat actor lineage behind the Shai-Hulud and Miasma waves, identifying it as a PyPI-focused branch rather than a standalone incident. The poisoned packages include bramin, cmd2func, coolbox, dynamo-release, executor-engine, executor-http, funcdesc, magique, magique-ai, mrbios, napari-ufish, nucbox, okite, pantheon-agents, pantheon-toolsets, spateo-release, synago, ufish, and uprobe, with two malicious versions released for each.

The infection chain begins the moment a developer installs one of the compromised releases. A specially crafted *-setup.pth file is processed by Python's "site" module during interpreter startup, triggering automatic payload execution without any user interaction or import. The payload downloads the Bun JavaScript runtime directly from GitHub, then launches a heavily obfuscated JavaScript stealer named _index.js. Before exfiltration, the malware performs a locale check and halts on Russian-language systems, a common evasion technique used by Russian-speaking threat actors to avoid local scrutiny.

The stealer aggressively harvests developer and CI/CD secrets, targeting GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, and Kubernetes credentials. It also scrapes Docker configurations, Vault tokens, SSH keys, shell history files, .env files, .npmrc files, .pypirc files, and Claude/MCP configurations from infected machines. Exfiltrated data is pushed to attacker-controlled GitHub repositories tagged with the markers "Hades - The End for the Damned" or "Hades * The End for the Damned," a clear evolution of the previous "Miasma" repository descriptions used in earlier Shai-Hulud iterations.

Security teams are urged to audit PyPI dependencies immediately, rotate any potentially exposed secrets, and review GitHub audit logs for unauthorized repository creation. Developers who installed the listed package versions should treat their environments as fully compromised and rebuild from clean sources. To assess whether your credentials have been exposed in similar supply chain incidents, run them through the email breach checker and verify password hygiene with the password checker. For a broader review of exposed developer data, the privacy checkup can help identify leaked configuration files and tokens before attackers do.