Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

Researchers discovered 37 malicious wheel artifacts distributed across 19 poisoned packages on PyPI, part of a campaign dubbed Hades linked to the broader Miasma supply chain attack group. The packages contained .pth files designed to execute automatically during Python initialization, delivering a credential stealer called Bun.

The attack exploited Python's .pth file mechanism, which loads arbitrary code when the Python interpreter starts. This technique bypasses traditional sandboxing and executes malicious payloads before security tools can intervene. The Bun stealer targets environment variables, authentication tokens, and API credentials stored in common configuration locations.

The 19 compromised packages remained available on PyPI for an undetermined period before removal. Developers who installed affected versions onto systems connected to cloud services, databases, or API endpoints face credential exposure. The stolen credentials grant attackers direct access to production infrastructure, CI/CD pipelines, and third-party services.

PyPI maintainers responded by removing the malicious packages, but the incident reflects persistent gaps in package registry oversight. The campaign demonstrates how Miasma operators continuously adapt their tactics. Earlier waves targeted npm and RubyGems. By fragmenting attacks across multiple ecosystems and using ecosystem-specific techniques like .pth files, attackers evade detection systems tuned to particular platforms.

Organizations should audit PyPI dependencies installed between the campaign's launch and package removal. Teams must verify which credentials existed on compromised systems and rotate any tokens or API keys that could have been exposed. Implementing runtime integrity monitoring for Python processes and restricting .pth file execution in sensitive environments reduces risk from similar attacks.

The Hades campaign underscores that supply chain threats extend beyond direct code injection. Attackers exploit legitimate platform features to achieve code execution with minimal detection. Package repositories remain attractive targets because a single compromised package reaches thousands of downstream users