Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, attackers embraced a “Hades” naming convention as they continue to plague the open source developer ecosystem.

New research from Socket detailed a fresh wave of attacks featuring a variant of the Shai-Hulud worm, which has targeted npm and PyPI code packages since last September. The latest campaign compromised 37 malicious PyPI wheels across 19 packages, according to a blog post by the Socket Research Team published Sunday.

“At the time of writing, PyPI had already quarantined a number of the affected releases; we reported the remaining ones to the PyPI security team,” the blog post read.

Trademarks of Shai-Hulud Attacks

Shai-Hulud is a self-propagating, info-stealing malware that infects software components, uses the access to publish poisoned versions, and then harvests the repository accounts of those affected by the malware downstream.

Related:FIFA Bug Exposes World Cup Streams to Remote Takeover

Socket quickly identified the tradecraft of the latest Mini Shai-Hulud infections as “unmistakably Shai-hulud/Miasma” — the latter term referring to a recent wave of infections targeting npm packages associated with Red Hat Cloud Services in which researchers identified dozens of the packages carrying a variant of the worm called Miasma.

The latest infections demonstrated a clear link to Shai-Hulud mainly because of the attack chain’s cross-runtime design, relying on the installation of Bun — a JavaScript runtime — as a heavily obfuscated JavaScript stealer before executing the payload.

Indeed, Shai-Hulud-style payloads do not assume Node.js, Python, or another local runtime will be available. Instead, they use Bun as the execution engine. “That behavior has shown up even in npm compromises, where Node.js would otherwise be the expected runtime,” according to the post. The PyPI wave abuses Python .pth startup behavior to launch a Bun-powered JavaScript credential stealer targeting developer, cloud, package-publishing, and CI/CD secrets.

A Descent Into Hades

The most recent Mini-Shai-hulud payload has new features that demonstrate some changes to the campaign as it continues to evolve. One is the introduction of Hades-themed GitHub exfiltration markers, including the repository description “Hades – The End for the Damned,” Philipp Burckhardt, Socket’s head of threat intelligence, tells Dark Reading. Attackers also play with the mythical underworld theme in repository component names, which include stygian, tartarean, cerberus, charon, styx, lethe, thanatos, and persephone, Socket discovered.

Related:Copilot ‘SearchLeak’ Attack Allows 1-Click Data Theft

Another new aspect of the campaign is the focus on abuse via .pth startup files, “which is a distinct execution mechanism compared to the npm lifecycle script abuse seen previously,” Burckhardt says. This tactic is less commonly seen than that abuse and evidence that “the campaign continues to show high adaptability across ecosystems,” he tells Dark Reading.

A legitimate Python startup feature, .pth files were designed to add paths to sys.path and support import hooks. But Python explicitly supports executable lines beginning with import that run at every Python startup, whether or not the corresponding package is imported, according to Socket. Essentially, each compromised wheel transforms a passive dependency into a delayed execution trigger.

“This is the Python equivalent of the npm install-hook problem that Shai-Hulud and Miasma repeatedly exploit,” the Socket team wrote in the post. “The syntax is different, but the security consequence is the same: dependency installation creates an execution edge before application code is reviewed or invoked.”

Auditing Is the Best Shai-Hulud Defense

Shai-Hulud has been a persistent pest to open source development since its first appearance, and each time it demonstrates that the cybercriminals behind the various attacks continue to evolve the malware. The worm appeared with new wiper capability in November and added the ability to steal credentials and secrets from accounts on major cloud providers in December. 

Related:Miasma Supply Chain Worm Burrows Into 73 Microsoft Repositories

Later, the worm evolved with the Mini Shai-Hulud variant in April, adding more advanced and aggressive techniques that not only steal developer credentials and allow it to replicate, but also can hijack trusted publishing paths and execute malicious payloads during installation.

It’s unclear who is behind the Shai-Hulud attacks, and the Socket research team did not attribute the Hades wave to a specific actor or group. Some cybersecurity vendors attributed previous Mini Shai-Hulud attacks to TeamPCP, a financially motivated threat actor that formally emerged in late 2025 by exploiting the React2Shell vulnerability as well as targeting misconfigured Docker APIs and Next.js. 

For organizations that may have installed any of the Shai-Hulud-infected PyPI packages, the best defense is to immediately audit their environments, Burckhardt says. “Since the payload steals secrets available during install, they must assume credentials (GitHub tokens, cloud keys, SSH keys, etc.) accessible to the install environment are compromised and require rotation,” he says. 

Further, the only way to catch these attacks in the future is to conduct continuous monitoring of package installations and artifact behavior to ensure there is no malicious activity related to Shai-Hulud/Miasma in the environment, Burckhardt adds.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *