The Miasma supply chain campaign has sparked a fresh attack wave called Hades, this time involving 37 malicious wheel artifacts across 19 packages in the Python Package Index (PyPI) registry, as the Mini Shai-Hulud-style attacks continue to be refined and splintered to target specific ecosystems.
“The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js,” Socket said in a new analysis.
The list of identified packages is below –
- bramin 0.0.2, 0.0.3, 0.0.4
- cmd2func 0.2.2, 0.2.3
- coolbox 0.4.1, 0.4.2
- dynamo-release 1.5.4
- executor-engine 0.3.4, 0.3.5
- executor-http 0.1.3, 0.1.4
- funcdesc 0.2.2, 0.2.3
- magique 0.6.8, 0.6.9
- magique-ai 0.4.4, 0.4.5
- mrbios 0.1.1, 0.1.2
- napari-ufish 0.0.2, 0.0.3
- nucbox 0.1.2, 0.1.3
- okite 0.0.7, 0.0.8
- pantheon-agents 0.6.1, 0.6.2
- pantheon-toolsets 0.5.5, 0.5.6
- spateo-release 1.1.2
- synago 0.1.1, 0.1.2
- ufish 0.1.2, 0.1.3
- uprobe 0.1.3, 0.1.4
Like in the previous Shai-Hulud and Miasma campaigns, the malicious payload downloads and installs the Bun JavaScript runtime, which is then used to launch a heavily obfuscated JavaScript stealer that can harvest a wide range of data from developer systems.
This includes secrets associated with GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, and Kubernetes, along with Docker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, Claude/MCP configurations, and other local or runner-accessible credentials.
What’s changed this time around is the campaign marker. While previous iterations exported the harvested data to a public GitHub repository with the description “Miasma: The Spreading Blight,” “Miasma: The Spreading Blight,” and “Miasma – The Spreading Blight,” the latest wave includes the repository descriptions –
- Hades – The End for the Damned
- Hades * The End for the Damned
“That makes Hades best understood as a PyPI branch of the same Mini Shai-Hulud / Miasma lineage, not a standalone Python malware incident,” the application security company said. “The core playbook remains the same: abuse trusted package channels, execute before normal package use, stage a Bun-powered JavaScript payload, steal developer and CI/CD credentials, and use GitHub-centric exfiltration and propagation logic.”
What has changed this time around is the use of a *-setup.pth file that’s processed by Python’s “site” module during interpreter startup, resulting in the execution of the malicious payload after installation without requiring the victim to import the poisoned package. The payload, in turn, downloads and runs Bun from GitHub and runs the stealer, but not before checking if the system corresponds to the Russian locale.
“This is the Python equivalent of the npm install-hook problem that Shai-Hulud and Miasma repeatedly exploit,”…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
