Hades campaign targets PyPI with malicious packages affecting 37 wheels across 19 projects

AI-Generated Summary

2 sources

1 day ago

1 views

Hades campaign targets PyPI with malicious packages affecting 37 wheels across 19 projects

Photo: The Hacker News

Key Points

The “Hades” supply-chain attack targets packages hosted on the Python Package Index (PyPI).
Reports say 37 malicious wheel artifacts are involved across 19 distinct PyPI packages.
The compromised packages include installation-time execution mechanisms, including a “*-setup.pth” file.
At least one report indicates the payload is associated with a credential-stealing component targeting Bun environments.
The campaign is described as part of an ongoing, evolving set of PyPI-focused supply-chain attacks.

Multiple outlets report a continuing software supply-chain threat aimed at the Python Package Index (PyPI). The newly described “Hades” campaign is said to involve malicious artifacts published to PyPI, continuing an ongoing pattern of “Miasma”-related attacks that have evolved over time. According to the reports, the latest wave includes 37 compromised wheel files across 19 Python packages.

The malicious releases are described as using packaging mechanisms that trigger code execution when the packages are installed. One outlet specifically notes that the compromised distributions include a “*-setup.pth” file intended to run automatically, which can allow payload code to execute as part of the installation process rather than requiring users to explicitly invoke the attacker’s code.

Another outlet characterizes the activity as part of a persistent ecosystem-focused targeting effort, suggesting attackers refine their techniques and splinter campaigns to affect specific environments. While details of the full payload are not fully consistent across the excerpts, at least one report indicates the behavior aligns with a credential-stealing component associated with Bun (JavaScript runtime) environments. Overall, the sources agree the campaign is active, spread across multiple PyPI projects, and relies on malicious release artifacts designed for automatic execution.

How Outlets Covered This Story

THE

The Hacker News

Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

The Miasma supply chain campaign has sparked a fresh attack wave called Hades, this time involving 37 malicious wheel artifacts across 19 packages in the Python Package Index (PyPI) registry, as the Mini Shai-Hulud-style attacks continue to be refined and splintered to target specific ecosystems. "The compromised releases shipped a *-setup.pth file that attempts to execute automatically

14 hours ago

DAR

Dark Reading

'Hades' Campaign Against PyPI Puts New Spin on Shai-Hulud

The latest attacks, which hit 37 PyPI wheels and 19 code packages, show a continued evolution of the persistent software supply chain threat.

1 day ago

We use cookies

This website uses cookies in order to enhance the overall user experience.

Take a look at our Cookies Policy for more information.

Hades campaign targets PyPI with malicious packages affecting 37 wheels across 19 projects

TechRadar publishes daily Quordle hints and answers for multiple dates

NYT Connections and Strands puzzles: hints and answers published across multiple outlets

NYT Strands daily guides provide hints, clues, and answers for multiple dates