Shai-Hulud Hades Campaign Poisoned 19 PyPI Packages to Steal Developer Secrets
Researchers reported that the Hades malware campaign, tied to the broader Shai-Hulud/Miasma lineage, poisoned 19 PyPI packages across 37 malicious releases, including widely used bioinformatics and science-focused tools. The malicious packages abused Python startup and import mechanisms such as executable .pth files and obfuscated __init__.py hooks to automatically fetch the Bun JavaScript runtime from GitHub and launch an obfuscated stealer payload, often without requiring normal package execution. Investigators said the malware harvested a broad set of secrets from developer workstations and CI/CD environments, including GitHub, npm, PyPI, cloud, Kubernetes, SSH, Docker, and shell-history credentials, while using GitHub repositories, GitHub Actions, and secondary HTTPS channels for exfiltration.
Security firms said the operation expands earlier Shai-Hulud tradecraft with AI-analysis evasion, hidden prompts intended to mislead LLM-based security tools, payload retrieval from GitHub commits, SSH/SCP-based lateral movement, IDE and AI-assistant backdooring, and destructive components such as a gh-token-monitor service. Reporting also linked the campaign to an attempted compromise of the Pythagora-io/gpt-pilot project after the maintainer account LeonOstrez was breached, although the malicious changes reportedly failed CI checks because formatting and linting rules blocked them. Defenders were urged to rotate exposed secrets, restore from trusted backups, and hunt for indicators including executable .pth files, Bun downloads from GitHub, and unusual Python-to-Bun process chains on Linux and macOS systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Socket reports Hades variant in 23 new malicious PyPI package versions
Socket reported a newly discovered Mini Shai-Hulud variant called Hades in 23 new malicious PyPI package versions targeting bioinformatics and AI-themed packages. The campaign used PyPI-specific delivery methods including .pth hooks, compiled .abi.so extensions, and a loader-style package, while stealing developer and CI/CD secrets and embedding prompt-injection anti-analysis content.
Researchers detail expanded Hades capabilities and AI-analysis evasion
Researchers reported that the Hades wave, linked to the Shai-Hulud/Miasma lineage, added capabilities such as prompt-injection-based AI-analysis evasion, payload retrieval from GitHub commits, SSH/SCP lateral movement, GitHub Actions secret theft, IDE and AI-assistant backdooring, and a destructive gh-token-monitor service. InfoWorld also described the campaign as targeting ensmallen and bioinformatics ecosystems while combining memory-focused behavior and wiper functionality.
StepSecurity discloses compromise of LeonOstrez GitHub account
StepSecurity disclosed that the GitHub account LeonOstrez, tied to the Pythagora-io/gpt-pilot project, was compromised to push a Shai-Hulud variant. The malicious changes did not deploy because CI failed due to ruff formatting and linting violations.
PwnForums suffers outage after DNS and IP changes
ASEC said PwnForums experienced an outage of roughly 12 hours following DNS and IP changes. The disruption was cited as another sign of volatility in the dark web forum ecosystem.
T1erOne publishes new Onion address after FBI seizure of RAMP
ASEC reported that T1erOne published a new Onion address to continue operations after the FBI seizure of RAMP. The report presented this as part of broader instability and consolidation across dark web forums.
ASEC links BreachForums-TeamPCP rivalry to Shai-Hulud npm campaign
ASEC reported a claimed competition between BreachForums and TeamPCP connected to the Shai-Hulud supply-chain attack campaign targeting the npm package ecosystem. This tied dark web forum activity to the broader malware campaign's propagation narrative.
ASEC reports BreachForums-DragonForce partnership announcement
ASEC's May 2026 Dark Web Issue Trend Report said BreachForums announced an official ransomware-as-a-service partnership with DragonForce to combine stolen data distribution with ransomware operations. The report also noted governance disruption on the forum following a moderator split involving HasanBroker.
Socket identifies 19 trojanized PyPI packages in Shai-Hulud-linked campaign
Socket discovered a supply-chain attack affecting 19 PyPI packages across 37 malicious releases, including science and bioinformatics tools, that delivered malware to steal developer secrets. The packages used Python startup hooks and an obfuscated JavaScript payload to download Bun and execute automatically when Python started.
Shai-Hulud source code publicly released, complicating attribution
Gurucul reported that on May 12, 2026, the full Shai-Hulud worm source code was released under an MIT license. The release made the malware effectively public attack infrastructure and introduced uncertainty into prior attribution to TeamPCP/UNC6780.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Shai-Hulud Campaign Evolution: Miasma, Hades, and AI Scanner Evasion | Community Portal | Gurucul
community.gurucul.com
Open sourceMini Shai-Hulud ‘Hades’ variant affects 23 PyPI package versions | news | SC Media
scworld.com
Open sourceHades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
thehackernews.com
Open sourceMeet Hades: The malware that lies to AI security agents | InfoWorld
infoworld.com
Open sourceMay 2026 Dark Web Issue Trend Report - ASEC
asec.ahnlab.com
Open sourceNew Shai-Hulud attack trojanizes 19 science-focused PyPI packages
bleepingcomputer.com
Open sourceShai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz
zscaler.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mini Shai-Hulud Compromised Signed npm and PyPI Packages via GitHub Actions OIDC Abuse
A large software supply-chain campaign dubbed **Mini Shai-Hulud** compromised more than 170 npm packages and at least two PyPI packages tied to projects including **TanStack, Mistral AI, OpenSearch, UiPath, Guardrails AI,** and others. Researchers and vendors attributed the activity to **TeamPCP**, saying the attackers abused GitHub Actions release workflows—especially `pull_request_target`, cache poisoning, and theft of short-lived **OIDC** material from runners—to publish trojanized packages with apparently legitimate **SLSA** provenance, Sigstore attestations, and trusted-publishing signatures. Reports variously counted between roughly 160 and 400+ malicious package versions, with some affected packages totaling hundreds of millions of downloads, and OpenSearch and Mistral both confirmed compromised releases while TanStack described a chained workflow attack on its publishing pipeline. The malware targeted developer workstations and CI/CD systems, stealing **npm**, **GitHub**, cloud, Kubernetes, Vault, SSH, Docker, and AI-tool credentials, then attempting worm-like propagation by republishing infected packages with stolen tokens or workflow-issued publish credentials. Investigators said the payload also established persistence through **VS Code** tasks, **Claude Code** hooks, and in some cases system services, while exfiltrating data through **Session**, GitHub dead drops, and other attacker infrastructure; some variants included extortion notes, dead-man-switch logic, and geofenced destructive behavior. Defenders were urged to treat hosts that installed affected versions as potentially fully compromised, remove persistence before revoking tokens where applicable, rotate all exposed secrets from clean systems, invalidate CI caches, audit lockfiles and publishing activity, and rebuild impacted environments from trusted sources.
Jun 9, 2026
Mini Shai-Hulud Supply-Chain Attack Compromised npm, PyPI, and Composer Packages
Researchers reported that the **Mini Shai-Hulud** campaign compromised widely used developer packages across **npm, PyPI, and Packagist/Composer**, including SAP CAP components, `intercom-client`, `intercom/intercom-php`, and PyTorch Lightning’s `lightning` package. The malicious releases delivered an obfuscated credential stealer executed with the **Bun** runtime, harvesting secrets from developer workstations and CI/CD environments, including GitHub, npm, cloud, Kubernetes, and AI tooling credentials. Stolen data was encrypted and exfiltrated through attacker-created public GitHub repositories, and the campaign was linked by multiple researchers to **TeamPCP**. Reports estimated exposure ranging from more than **1,000** to roughly **1,800 repositories**, with no `CVE`, `GHSA`, or `OSV` identifiers assigned at disclosure. Investigators said the attackers abused software publishing workflows rather than relying solely on direct maintainer compromise, including a stolen npm token tied to SAP’s `cloudmtabot` account, an exposed token in CircleCI pull-request builds, and overly broad GitHub and npm **OIDC trusted publishing** policies. The malware propagated by using stolen npm tokens to publish infected patch versions of additional packages and established persistence through developer tooling by planting `.vscode/tasks.json` entries with `"runOn": "folderOpen"` and `.claude/settings.json` `SessionStart` hooks, a technique compared to the earlier **PolinRider/TasksJacker** tradecraft. Maintainers released cleaned package versions, while defenders were urged to rotate credentials, review GitHub, npm, and cloud activity, harden OIDC publishing rules, pin dependencies, and hunt repositories for unauthorized `folderOpen` tasks and Claude hooks.
May 1, 2026
Shai-Hulud npm Worm Expanded Into Cross-Ecosystem Supply Chain Attacks
A supply-chain malware campaign known as **Shai-Hulud** compromised hundreds of packages in the npm ecosystem and later spread into both npm and PyPI, using stolen maintainer credentials and trusted publishing workflows to push trojanized releases. Early reporting said the worm affected more than 500 npm packages, searched infected developer and CI/CD environments for GitHub Personal Access Tokens, cloud API keys, and other secrets, and exfiltrated them to attacker-controlled infrastructure and public GitHub repositories. GitHub removed hundreds of malicious packages, while CISA urged organizations to review dependencies, check for cached malicious packages, rotate credentials, and enforce phishing-resistant MFA for developer accounts. Later waves became more aggressive and broader in scope. Researchers said a second campaign hit hundreds more npm packages and had a blast radius exceeding **27,000 repositories**, abusing `preinstall` and other lifecycle hooks to steal secrets, hijack GitHub Actions, self-propagate into additional packages, and in some cases deploy a conditional wiper-like payload. A subsequent **Mini Shai-Hulud** wave affected more than 170 packages across npm and PyPI, including packages tied to TanStack, Mistral AI, OpenSearch, Guardrails AI, UiPath, and others; it used files such as `router_init.js`, invoked Bun through malicious package scripts, targeted npm, GitHub, cloud, Kubernetes, Vault, and CI/CD credentials, and demonstrated that provenance and OIDC-based trusted publishing can still be abused when attacker-controlled code runs inside legitimate release workflows.
May 25, 2026