A coordinated supply chain attack targeting PyPI has compromised 26 packages (37 malicious wheel files) across bioinformatics, graph ML, deep-learning, and developer tooling ecosystems. Dubbed the “Hades Campaign” and attributed to the Miasma/Shai-Hulud threat lineage, the attack exploits a legitimate Python feature to execute malicious code at interpreter startup, aggressively harvesting cloud credentials and exfiltrating tokens from compromised environments. Due to the breadth of affected packages and the severity of credential exposure, immediate package removal and credential rotation are required.

About the Vulnerability: Hades Campaign

The attack leverages Python .pth files, a mechanism that allows import statements to execute automatically when the Python interpreter initializes. Compromised package releases ship a *-setup.pth file containing an obfuscated import hook. When Python starts, even without explicitly importing the package, the hook downloads the Bun JavaScript runtime (v1.3.13/v1.3.14) from GitHub and executes an obfuscated _index.js payload containing 16 encrypted functional components. This cross-runtime approach means the malware operates independently of Node.js availability, expanding its reach to any Python environment.

Once active, the malware performs aggressive credential harvesting across multiple vectors. It scrapes process memory on Linux (via /proc/{pid}/mem), macOS (via Mach kernel APIs), and Windows (via ReadProcessMemory). Targeted secrets include: AWS, GCP, and Azure authentication tokens, Kubernetes secrets, GitHub personal access and Actions tokens, PyPI/npm/RubyGems publishing credentials, SSH keys, Docker registry configurations, .env files, shell histories, and AI assistant configurations across 14 systems.

The following packages are affected:

Bioinformatics / Graph ML cluster (identified by StepSecurity):

  • ensmallen (0.8.101)
  • mflux-streamlit (0.0.3, 0.0.4)
  • nhmpy (2.4.7)
  • ppkt2synergy (0.1.1)
  • embiggen (0.11.97)
  • gpsea (0.9.14)
  • pyphetools (0.9.120)

Developer tooling / broader PyPI cluster (identified by Socket.dev):

  • bramin (0.0.2–0.0.4)
  • cmd2func (0.2.2–0.2.3)
  • coolbox (0.4.1–0.4.2)
  • dynamo-release (1.5.4)
  • executor-engine (0.3.4–0.3.5)
  • executor-http (0.1.3–0.1.4)
  • funcdesc (0.2.2–0.2.3)
  • magique (0.6.8–0.6.9)
  • magique-ai (0.4.4–0.4.5)
  • mrbios (0.1.1–0.1.2)
  • napari-ufish (0.0.2–0.0.3)
  • nucbox (0.1.2–0.1.3)
  • okite (0.0.7–0.0.8)
  • pantheon-agents (0.6.1–0.6.2)
  • pantheon-toolsets (0.5.5–0.5.6)
  • spateo-release (1.1.2)
  • synago (0.1.1–0.1.2)
  • ufish (0.1.2–0.1.3)
  • uprobe (0.1.3–0.1.4)

Risk Impact

At the time of writing, the malicious packages have been reported to PyPI and active exploitation is ongoing. The Hades Campaign represents a significant escalation from the earlier Mini Shai-Hulud campaign (May 2026, affecting TanStack, Mistral AI, UiPath, and 160+ packages), featuring more sophisticated evasion, persistence, and propagation mechanisms.

The campaign introduces several notable techniques. Stolen GitHub tokens and publishing credentials enable the malware to propagate to additional packages, creating worm-like self-spreading behavior. A “gh-token-monitor” persistence daemon threatens destructive actions if stolen tokens are revoked, a novel extortion mechanism designed to discourage immediate credential rotation. The payload also contains prompt-injection text aimed at tricking LLM-based security analyzers into classifying it as benign, and it sends decoy traffic to Anthropic AI servers to confuse network-level analysis.

Stolen data is compressed with gzip, encrypted using AES-256-GCM with RSA-2048 hybrid encryption, and exfiltrated to attacker-controlled public GitHub repositories bearing descriptions such as “Hades – The End for the Damned.” The repositories follow naming patterns stygian-cerberus-* and tartarean-charon-*.

Mitigation Recommendations

Organizations should immediately remove or pin away from all affected package versions and upgrade to the latest clean releases where available. All credentials accessible from affected environments must be rotated, prioritizing:

  • GitHub tokens and package registry publishing credentials (PyPI, npm, RubyGems)
  • Cloud provider authentication tokens (AWS, GCP, Azure, Kubernetes)
  • SSH keys and Docker registry credentials

Persistence artifacts should be hunted across all potentially affected systems:

  • Linux: ~/.config/systemd/user/update-monitor.service and ~/.config/systemd/user/gh-token-monitor.service
  • macOS: ~/Library/LaunchAgents/com.user.gh-token-monitor.plist
  • Lock files indicating compromise: /tmp/.bun_ran and /tmp/tmp.0144018410.lock

Affected environments, including developer workstations and CI runners, should be rebuilt where possible. GitHub repositories should be audited for unauthorized commits, workflow modifications, or new repositories matching the attacker naming patterns (stygian-cerberus-*, tartarean-charon-*). Despite the wiper deterrent, credential rotation should not be delayed; instead, isolate the affected system first, then rotate.

How Can Orca Help?

Orca enables customers to quickly identify assets running affected package versions across their cloud environments. Orca’s agentless SideScanning detects vulnerable and malicious packages in customer workloads without deploying agents, providing immediate visibility into exposure. Orca’s Cloud Detection and Response (CDR) capabilities surface anomalous credential access patterns and unauthorized GitHub activity that may indicate compromise from this campaign. Security teams can prioritize remediation based on real risk, including internet accessibility, runtime reachability, and asset criticality, rather than reacting to package lists alone. Orca’s platform highlights affected assets directly in the alert view, helping teams focus on the most critical remediation paths first.