Hades PyPI Campaign Poisons 19 Packages With Bun-Powered Credential Stealer

Attackers have poisoned 19 packages on the Python Package Index (PyPI) with 37 malicious wheel artifacts in a campaign called Hades, according to analyses published June 9, 2026 by Socket and StepSecurity. The campaign is the latest branch of the Miasma supply chain lineage, which previously targeted npm ecosystems.

The malicious packages include bramin, cmd2func, coolbox, dynamo-release, executor-engine, executor-http, funcdesc, magique, magique-ai, mrbios, napari-ufish, nucbox, okite, pantheon-agents, pantheon-toolsets, spateo-release, synago, ufish, and uprobe. Each package had one or two compromised versions, all uploaded as wheel files.

Auto-Execution via Python Startup Hooks

The Hades campaign uses a *-setup.pth file that Python's site module processes automatically during interpreter startup. This means the malicious payload executes immediately after installation, without requiring the victim to import the poisoned package. Socket described this as the Python equivalent of the npm install-hook problem exploited by earlier Shai-Hulud and Miasma attacks.

The payload downloads the Bun JavaScript runtime from GitHub, then runs an obfuscated JavaScript file named _index.js. The stealer harvests credentials from a wide range of services:

• GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, and Anthropic
• AWS, GCP, Azure, and Kubernetes configurations
• Docker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, and Claude/MCP configurations

Before executing, the malware checks whether the system uses a Russian locale. If it does, the payload stops, suggesting the attackers are avoiding targeting Russian systems.

AI Defense Evasion and Lateral Spread

The Hades campaign introduces a novel technique to evade AI-powered security scanners. The malware embeds a plain-text prompt injection that attempts to trick large language model (LLM) based analysis tools into classifying the package as safe. It also queries GitHub commits for the keyword "TheBeautifulSnadsOfTime" to extract a Base64-encoded JavaScript payload, and polls for commits matching "firedalazer" to fetch a Python-based dropper.

StepSecurity noted that using Bun as a standalone ZIP file allows the malware to run complex JavaScript tasks in environments lacking Node.js, bypassing traditional package manager controls and network proxy logs. The malware can replicate laterally across developer networks via SSH or SCP, push trojanized versions of PyPI packages from compromised systems by exploiting OpenID Connect (OIDC) trust configurations, and target GitHub repositories to extract organization secrets using GitHub Actions runners if the harvested token has write permissions.

A separate cluster of packages related to computational biology and bioinformatics was also compromised, including embiggen, ensmallen, gpsea, mflux-streamlit, nhmpy, ppkt2synergy, and pyphetools. This cluster uses a different entry point, embedding the malicious code inside the package's __init__.py file as an obfuscated single-line import hook, but achieves the same outcome.

Socket said the campaign marker has changed from previous Miasma iterations. While earlier campaigns exfiltrated data to a public GitHub repository with descriptions like "Miasma: The Spreading Blight," the Hades wave uses repository descriptions such as "Hades - The End for the Damned." The core playbook remains the same: abuse trusted package channels, execute before normal package use, stage a Bun-powered JavaScript payload, steal developer and CI/CD credentials, and use GitHub-centric exfiltration and propagation logic.