Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

Socket discovered a coordinated PyPI supply-chain compromise (37 malicious wheels across 19 packages) that installs executable .pth startup hooks to download/install the Bun runtime and run an obfuscated JavaScript payload (Hades, a branch of the Shai-Hulud/Miasma lineage) designed to steal developer, CI/CD, and cloud credentials and exfiltrate data (notably via GitHub repositories, artifacts, and camouflage to an Anthropic API host); the report includes IOCs, hashes, detection rules, and remediation guidance.