New PyPI Wave in Mini Shai-Hulud, Miasma, and Hades Campaign: 23 New Malicious PyPI Artifacts
Published
Key Takeaways
- New PyPI Wave: Researchers identified 23 newly added PyPI package-version artifacts connected to the Mini Shai-Hulud, Miasma, and Hades supply chain attacks.
- Tracker Total: The campaign tracker now spans over 470 affected artifacts across npm and PyPI, targeting developers.
- Shifting Delivery: Newer packages use trojanized native .abi3.so extensions and a sys.path-searching loader to execute a Bun-staged Hades stealer.
Socket Threat Research has identified a newer PyPI wave connected to the broader Mini Shai-Hulud, Miasma, and Hades supply chain attacks. This wave adds 23 newly identified PyPI package-version artifacts targeting bioinformatics and MCP developers.
These add to the 37 malicious PyPI wheels covered in the earlier report. The campaign tracker now includes 471 affected artifacts across npm and PyPI, comprising 411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages.
Expanding Package Themes
The new set includes six bioinformatics packages, a separate cluster of AI and MCP-themed packages, typosquat-style packages such as “rsquests,” “tlask,” and “rlask,” and a langchain-core-mcp loader variant that does not bundle the expected _index.js payload, according to Socket.
The weekend PyPI wave used executable .pth startup hooks. The newer bioinformatics subcluster uses trojanized native .abi3.so extensions that execute the JavaScript payload at import time.
Payload and Credential Targets
The bioinformatics cluster affects real packages used in graph learning, patient phenotyping, phenopacket tooling, and related scientific workflows. Other artifacts and several MCP-themed packages appear to be designed to capture installs of popular Python packages, including Flask, requests, LangChain, OpenAI, tokenization, and MCP tooling.
The payload follows the Hades pattern: a heavily obfuscated JavaScript stealer staged through Bun. Once executed, it targets developer workstations and CI/CD environments for GitHub, npm, PyPI, RubyGems, JFrog, cloud credentials, Kubernetes service account material, SSH keys, Docker configuration, shell histories, .env files, package registry credentials, and AI developer tool configuration.
Last week, over 30 Red Hat npm packages were backdoored with a new Miasma variant of the Shai-Hulud malware.
Last month, the first clones of the Shai-Hulud worm emerged in the npm supply chain days after TeamPCP released the source code and claimed the TanStack supply chain attack-related Mistral AI breach. Also, GitHub investigated the TeamPCP 4,000-repository breach claim.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular