Executive Summary
The Hades PyPI Attack represents a critical escalation in software supply chain threats, targeting the Python ecosystem by poisoning 19 widely used packages on the Python Package Index (PyPI). This campaign, attributed to the evolution of the Mini Shai-Hulud/Miasma lineage, leverages the Bun JavaScript runtime to deploy a highly evasive credential stealer. The attack is engineered to compromise developer workstations, CI/CD pipelines, and cloud infrastructure by harvesting sensitive credentials and secrets, enabling lateral movement and further propagation. The campaign demonstrates advanced persistence, anti-analysis, and propagation techniques, and has been observed actively exploiting organizations in the wild. Immediate and comprehensive mitigation is essential for any entity that may have installed the affected packages.
Threat Actor Profile
The threat actors behind the Hades PyPI Attack exhibit hallmarks of advanced persistent threat (APT) groups specializing in supply chain compromise. While there is no direct attribution to a specific nation-state or criminal syndicate, the tactics, techniques, and procedures (TTPs) align closely with those observed in the Mini Shai-Hulud/Miasma campaigns. The actors demonstrate deep familiarity with Python packaging internals, CI/CD environments, and modern developer workflows. Notably, the malware is programmed to avoid execution on systems with Russian locale settings, suggesting either a Russian-speaking origin or a deliberate attempt to avoid scrutiny from Russian authorities. The campaign’s sophistication is further evidenced by its use of prompt injection to evade AI-based security scanners and its targeting of AI/ML and bioinformatics sectors, indicating a strategic focus on high-value intellectual property and cloud infrastructure.
Technical Analysis of Malware/TTPs
The attack vector begins with the publication of 19 malicious packages (across 37 wheels) to PyPI, masquerading as legitimate or typo-squatted libraries. Upon installation, these packages deploy a *-setup.pth file or inject obfuscated code into the __init__.py module. This code is executed automatically on Python interpreter startup, regardless of whether the package is explicitly imported, exploiting Python’s site customization mechanism.
The initial payload downloads the Bun JavaScript runtime from GitHub, then executes an obfuscated JavaScript stealer (_index.js). This stealer is engineered to harvest a comprehensive array of secrets, including but not limited to GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, Kubernetes, Docker configurations, Vault tokens, SSH keys, shell histories, .env, .npmrc, .pypirc, and Claude/MCP configuration files. The malware also scrapes process memory on Linux, macOS, and Windows to extract ephemeral secrets from CI/CD runners.
Exfiltration is performed via outbound connections to attacker-controlled GitHub repositories, notably those with thematic names such as "Hades - The End for the Damned." The malware also queries GitHub for specific commit keywords ("TheBeautifulSnadsOfTime", "firedalazer") to fetch additional payloads, enabling dynamic updates and modular expansion.
Persistence is achieved by installing a background service named gh-token-monitor, which monitors for revoked tokens and can act as a wiper. The malware employs prompt injection techniques to mislead large language model (LLM)-based security scanners, and it is capable of backdooring AI assistants and IDEs, including Anthropic Claude, OpenAI Codex, Google Gemini, and Microsoft Copilot. Lateral movement is facilitated via SSH/SCP using harvested credentials, and the malware can propagate by uploading further trojanized packages using compromised OIDC trust relationships.
Exploitation in the Wild
Active exploitation of the Hades PyPI Attack has been confirmed, with multiple organizations reporting credential theft, unauthorized access to cloud resources, and lateral movement within developer and CI/CD environments. The attack has been observed propagating through compromised developer workstations, with attackers leveraging stolen credentials to publish additional malicious packages and access sensitive repositories. GitHub Actions runners have been specifically targeted, enabling the theft of organization-wide secrets and facilitating further supply chain compromise. The campaign has also targeted the bioinformatics and AI/ML sectors, indicating a focus on environments rich in proprietary data and cloud infrastructure.
Victimology and Targeting
The primary victims of the Hades PyPI Attack are organizations and individuals operating in software development, DevOps, CI/CD, AI/ML, and bioinformatics. The attack does not appear to discriminate by geography, although the malware is programmed to avoid Russian locale systems. The targeting of packages commonly used in computational biology and AI/ML pipelines suggests an intent to compromise environments with access to sensitive intellectual property, research data, and cloud credentials. The campaign’s propagation mechanisms enable rapid lateral movement across organizational boundaries, increasing the risk of widespread compromise.
Mitigation and Countermeasures
Organizations must immediately audit their Python environments for the presence of the listed malicious packages and remove them without delay. It is critical to search for *-setup.pth files and unknown import hooks in __init__.py modules within site-packages directories, as these are indicative of compromise. Outbound connections to GitHub, especially those involving the download of the Bun runtime or exfiltration to suspicious repositories, should be closely monitored and blocked where possible.
All credentials, including those for GitHub, cloud providers, CI/CD systems, and SSH, must be rotated if any affected package was installed. Background services such as gh-token-monitor should be identified and terminated. Logs from GitHub Actions runners and other CI/CD systems should be reviewed for evidence of suspicious memory access or token exfiltration. Organizations should also monitor for the use of the keywords "TheBeautifulSnadsOfTime" and "firedalazer" in GitHub commit queries, as these are used by the malware to fetch additional payloads.
To enhance supply chain security, organizations are advised to implement tools such as StepSecurity Harden-Runner, Snyk, and Socket to block known-bad packages and monitor for anomalous activity. Enforcing cooldown periods for new package versions in CI/CD pipelines can reduce the risk of zero-day supply chain attacks. Finally, organizations should educate developers and DevOps personnel on the risks of supply chain compromise and encourage the use of trusted, vetted packages only.
References
The following sources provide additional technical details and ongoing updates regarding the Hades PyPI Attack:
The Hacker News: Hades PyPI Attack
StepSecurity: Technical Analysis
Dark Reading: Hades Campaign
Orca Security: Hades PyPI Supply Chain Attack
Snyk: Lightning PyPI Compromise
MITRE ATT&CK: Supply Chain Compromise
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats, ensuring the resilience of your digital ecosystem. For more information about how Rescana can help secure your organization’s supply chain, or for assistance with incident response, we are happy to answer questions at ops@rescana.com.
