A data scientist installs a graph-machine-learning package, runs nothing, and walks away. The next time any Python process starts on that machine, a hidden hook reaches out to GitHub, pulls down a JavaScript runtime, and begins reading the memory of running processes for AWS keys, GitHub tokens, and SSH credentials. No import statement was ever typed. No malicious function was ever called. The attack fired on interpreter startup, before a single line of the victim's own code ran.
That is the Hades Campaign, the latest and most aggressive entry in a year-long supply chain assault on the Python ecosystem. Orca Security's research team disclosed it on June 8, and the details should worry anyone whose laptop or CI runner touches PyPI. The campaign compromised 26 packages spanning 37 malicious wheel files, and it was still active when researchers published.
This is not a clever proof of concept. It is a working credential-harvesting worm, and it was sitting in packages that ML and bioinformatics teams install without a second thought.
The Attack Lives in a File Format Built for Convenience
The cleverness of Hades is that it weaponizes a Python feature almost nobody thinks about.
Python supports a file type called a .pth file, normally used to tell the interpreter where to find extra modules. Lines in a .pth file can also execute automatically every time Python starts. That is by design, and for two decades it was a harmless convenience. Hades turns it into a launchpad.
Each compromised package ships a *-setup.pth file containing an obfuscated import hook. When Python initializes, the hook downloads the Bun JavaScript runtime (versions 1.3.13 and 1.3.14) from GitHub and executes an obfuscated _index.js payload built from 16 encrypted components. Pulling in a separate runtime is the point: the malware no longer depends on Node.js being installed, so it runs in any Python environment, on any developer's box, the moment the interpreter wakes up.
The choice of trigger matters because it removes the user's last line of defense. Most package malware needs you to import the library, which means a careful developer reading the code first might catch it. A .pth payload runs before anyone can read anything.
Everything in Your Environment Is the Target
Once the JavaScript payload is live, it scrapes credentials across every major operating system, reading process memory directly: /proc/{pid}/mem on Linux, Mach kernel APIs on macOS, and ReadProcessMemory on Windows.
The list of secrets it hunts reads like an inventory of a modern ML stack:
- AWS, GCP, and Azure authentication tokens
- Kubernetes secrets and Docker registry configurations
- GitHub personal access tokens and Actions tokens
- Publishing credentials for PyPI, npm, and RubyGems
- SSH private keys,
.envfiles, and shell histories - AI assistant configurations across 14 separate systems
Stolen data is compressed, encrypted with AES-256-GCM and RSA-2048 hybrid cryptography, and exfiltrated to attacker-controlled public GitHub repositories. Those repositories carry the campaign's signature: descriptions reading "Hades – The End for the Damned," and names following the patterns stygian-cerberus-* and tartarean-charon-*.
The theft of GitHub tokens and publishing credentials is what makes Hades a worm rather than a one-time heist. With a victim's publishing keys in hand, the malware can push poisoned versions of additional packages, spreading on its own to new projects and new machines.
The Daemon That Holds Your Cloud Account Hostage
Hades introduces a technique that turns the usual incident-response playbook against the defender.
Standard advice after any credential compromise is to rotate every key immediately. Hades anticipates that move. It installs a persistence daemon named gh-token-monitor that watches the stolen GitHub tokens and threatens destructive action if it detects they have been revoked. Rotate too fast, and you risk triggering the wiper.
It is, in effect, ransomware logic bolted onto a credential stealer: a deterrent designed to keep you from doing the one thing you most need to do. Orca's guidance is to isolate any affected system first, then rotate, rather than letting the threat freeze you into inaction.
The payload also targets the tools increasingly used to catch it. It embeds prompt-injection text aimed at tricking LLM-based security analyzers into classifying the code as benign, and it sends decoy network traffic to Anthropic's AI servers to muddy network-level analysis. The attackers built Hades for a world where the defenders are partly automated and partly powered by language models, and they are trying to fool both.
This Is an Escalation, Not a One-Off
Hades did not appear from nowhere. Orca attributes it to the Miasma/Shai-Hulud threat lineage, the same family behind a string of 2026 attacks on open-source repositories.
The progression is the alarming part. The Mini Shai-Hulud campaign in May hit TanStack, Mistral AI, UiPath, and more than 160 packages. Earlier waves poisoned 32 of Red Hat's npm packages through the Miasma worm and compromised PyTorch Lightning for 42 minutes. Each round adds capability. Hades brings more sophisticated evasion, cross-runtime execution, worm-like self-propagation, and the extortion daemon, all in one package.
| Campaign | Date | Scope | Notable Technique |
|---|---|---|---|
| PyTorch Lightning | May 2026 | Single package, 42 minutes | Fast in-and-out credential theft |
| Mini Shai-Hulud | May 2026 | 160+ npm/PyPI packages | Valid build provenance attestations |
| Red Hat / Miasma | Jun 2026 | 32 npm packages | Abused npm trusted publishing |
| Hades | Jun 2026 | 26 PyPI packages | .pth startup execution, anti-revocation daemon |
The common thread across all of them is trust. Developers and automated pipelines pull packages on the assumption that a popular registry entry is safe. Hades exploits that assumption at the exact moment of installation, and it is built to survive the cleanup.
The Other Side of the Trust Problem
The repositories under attack are not negligent, and it is worth being fair about the constraint they operate under.
PyPI removes malicious packages once they are reported, and security firms including Orca, StepSecurity, and Socket.dev identified and published the affected package lists quickly. The wider problem is structural rather than a failure by any one maintainer. Open registries are valuable precisely because anyone can publish, and automated dependency resolution is useful precisely because it runs without a human in the loop. Those same properties are what the attackers exploit.
Security researchers have warned for over a year that the AI software supply chain has become the most attractive target in the field, because the repositories are trusted, the consumers are increasingly automated, and pickle-based or .pth-based payloads execute on load, before any human inspects them. The United States Department of Defense published formal guidance on AI and ML supply chain risk earlier this year, an institutional acknowledgment that this is now a national-security concern and not just a developer annoyance. The disagreement is not over whether the threat is real. It is over whether registries can be hardened fast enough to keep pace with attackers who iterate every few weeks.
Immediate Actions
If your team installs from PyPI, especially in bioinformatics, graph ML, or deep-learning workflows, treat this as an active incident rather than a notification.
Remove or pin away from all flagged package versions and upgrade to clean releases. Rotate every credential reachable from affected environments, prioritizing GitHub tokens, registry publishing keys, and cloud provider tokens. Hunt for persistence: gh-token-monitor and update-monitor services on Linux, LaunchAgents on macOS, and the lock files /tmp/.bun_ran and /tmp/tmp.0144018410.lock. Isolate first, then rotate, to avoid the wiper. Rebuild developer workstations and CI runners where possible, and audit GitHub for unauthorized commits or new repositories matching stygian-cerberus-* and tartarean-charon-*.
A short list of the affected packages includes ensmallen, embiggen, gpsea, pyphetools, executor-engine, magique-ai, pantheon-agents, and napari-ufish. The full set spans 26 names across the bioinformatics and developer-tooling clusters, documented by StepSecurity and Socket.dev.
The Bottom Line
The most uncomfortable fact about Hades is how little the victim has to do. You do not have to run the package. You do not have to import it. You only have to have it sitting in site-packages when Python starts, which on a developer machine or a CI runner is constantly. The attack collapses the gap between "installed" and "compromised" to zero.
That changes the math for every data team. Reviewing a dependency's source code before you import it is no longer enough, because the malicious code already ran. The defenses that still work are upstream and structural: pin versions, scan before install, isolate build environments, and rotate credentials on a schedule rather than only after a breach.
The attackers have made one thing clear with the anti-revocation daemon and the decoy traffic aimed at AI scanners. They are no longer just stealing keys. They are designing for the response, betting that the cleanup will be slow, automated, and afraid to move fast. The packages will keep coming. The only real question is whether your rotation discipline is faster than their next release.
Sources
- Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks (Orca Security, Jun 8, 2026)
- The Hades Campaign: PyPI Packages (StepSecurity, Jun 2026)
- Shai-Hulud Descends to Hades: Miasma PyPI Wave (Socket.dev, Jun 2026)
- 'Hades' Attacks on PyPI Put New Spin on Shai-Hulud (Dark Reading, Jun 2026)
- The AI industry's model and agent skill repositories are full of malware (The Next Web, May 8, 2026)