{ "@context": "https://schema.org", "@type": "NewsArticle", "@id": "https://hostdir.net/blog/hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer", "headline": "Hades PyPI Campaign Poisons 19 Packages With Bun-Powered Credential Stealer", "alternativeHeadline": "Attackers deploy 37 malicious wheel artifacts, using Python startup hooks to auto-execute a JavaScript credential stealer via the Bun runtime.", "url": "https://hostdir.net/blog/hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer", "datePublished": "2026-06-12T23:14:00+00:00", "dateModified": "2026-06-12T23:50:31+00:00", "author": { "@type": "Organization", "name": "HostDir News Desk", "url": "https://hostdir.net" }, "publisher": { "@type": "Organization", "name": "HostDir", "url": "https://hostdir.net", "logo": { "@type": "ImageObject", "url": "https://hostdir.net/assets/logo.svg" } }, "image": "https://hostdir.net/uploads/news/12e001462d015e55.webp", "description": "A new supply chain attack called Hades has poisoned 19 PyPI packages with 37 malicious wheel artifacts, using Python startup hooks to auto-execute a Bun-powered credential stealer targeting developer secrets.", "articleSection": "Security", "articleBody": "Attackers have poisoned 19 packages on the Python Package Index (PyPI) with 37 malicious wheel artifacts in a campaign called Hades, according to analyses published June 9, 2026 by Socket and StepSecurity. The campaign is the latest branch of the Miasma supply chain lineage, which previously targeted npm ecosystems.The malicious packages include bramin, cmd2func, coolbox, dynamo-release, executor-engine, executor-http, funcdesc, magique, magique-ai, mrbios, napari-ufish, nucbox, okite, pantheon-agents, pantheon-toolsets, spateo-release, synago, ufish, and uprobe. Each package had one or two compromised versions, all uploaded as wheel files.Auto-Execution via Python Startup HooksThe Hades campaign uses a *-setup.pth file that Python's site module processes automatically during interpreter startup. This means the malicious payload executes immediately after installation, without requiring the victim to import the poisoned package. Socket described this as the Python equivalent of the npm install-hook problem exploited by earlier Shai-Hulud and Miasma attacks.The payload downloads the Bun JavaScript runtime from GitHub, then runs an obfuscated JavaScript file named _index.js. The stealer harvests credentials from a wide range of services:GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, and AnthropicAWS, GCP, Azure, and Kubernetes configurationsDocker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, and Claude/MCP configurationsBefore executing, the malware checks whether the system uses a Russian locale. If it does, the payload stops, suggesting the attackers are avoiding targeting Russian systems.AI Defense Evasion and Lateral SpreadThe Hades campaign introduces a novel technique to evade AI-powered security scanners. The malware embeds a plain-text prompt injection that attempts to trick large language model (LLM) based analysis tools into classifying the package as safe. It also queries GitHub commits for the keyword \"TheBeautifulSnadsOfTime\" to extract a Base64-encoded JavaScript payload, and polls for commits matching \"firedalazer\" to fetch a Python-based dropper.StepSecurity noted that using Bun as a standalone ZIP file allows the malware to run complex JavaScript tasks in environments lacking Node.js, bypassing traditional package manager controls and network proxy logs. The malware can replicate laterally across developer networks via SSH or SCP, push trojanized versions of PyPI packages from compromised systems by exploiting OpenID Connect (OIDC) trust configurations, and target GitHub repositories to extract organization secrets using GitHub Actions runners if the harvested token has write permissions.A separate cluster of packages related to computational biology and bioinformatics was also compromised, including embiggen, ensmallen, gpsea, mflux-streamlit, nhmpy, ppkt2synergy, and pyphetools. This cluster uses a different entry point, embedding the malicious code inside the package's __init__.py file as an obfuscated single-line import hook, but achieves the same outcome.Socket said the campaign marker has changed from previous Miasma iterations. While earlier campaigns exfiltrated data to a public GitHub repository with descriptions like \"Miasma: The Spreading Blight,\" the Hades wave uses repository descriptions such as \"Hades - The End for the Damned.\" The core playbook remains the same: abuse trusted package channels, execute before normal package use, stage a Bun-powered JavaScript payload, steal developer and CI/CD credentials, and use GitHub-centric exfiltration and propagation logic.", "mainEntityOfPage": "https://hostdir.net/blog/hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer", "citation": [ { "@type": "CreativeWork", "name": "Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer", "url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html" }, { "@type": "CreativeWork", "name": "'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud", "url": "https://www.darkreading.com/application-security/hades-campaign-pypi-shai-hulud" } ], "_hostdir": { "kind": "news-article", "slug": "hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer", "canonical": "https://hostdir.net/blog/hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer", "category": "security", "sources": [ { "url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "title": "Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer", "source_name": "The Hacker News", "source_slug": "hacker-news" }, { "url": "https://www.darkreading.com/application-security/hades-campaign-pypi-shai-hulud", "title": "'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud", "source_name": "Dark Reading", "source_slug": "darkreading" } ], "fact_checks": [ { "claim": "The Hades campaign involved 37 malicious wheel artifacts across 19 packages on PyPI.", "source_url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "verdict": "verified" }, { "claim": "The malicious payload uses a *-setup.pth file that executes automatically during Python startup.", "source_url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "verdict": "verified" }, { "claim": "The malware checks for Russian locale before executing.", "source_url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "verdict": "verified" }, { "claim": "The Hades campaign uses a plain-text prompt injection to evade AI security scanners.", "source_url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "verdict": "verified" }, { "claim": "A separate cluster of packages related to computational biology was also compromised.", "source_url": "https://thehackernews.com/2026/06/hades-pypi-attack-19-packages-poisoned.html", "verdict": "verified" } ], "internal_links": [ { "anchor": "pantheon", "target_url": "/providers/pantheon", "target_kind": "provider" }, { "anchor": "http", "target_url": "/providers/http", "target_kind": "provider" } ], "attribution": "HostDir News Desk — https://hostdir.net/blog/hades-pypi-campaign-poisons-19-packages-with-bun-powered-credential-stealer" } }