Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks
ID: cac50042-b97b-5261-a4cd-52582bfcb052
STIX ID: report--cac50042-b97b-5261-a4cd-52582bfcb052
Feed Name: SOCRadar Blog
Threat Score
Researchers observed a Shai-Hulud/Mini Shai-Hulud/Miasma lineage PyPI supply-chain campaign that trojanized 19 Python packages (37 wheels) by embedding .pth startup hooks which bootstrap a Bun runtime to execute an obfuscated JavaScript credential stealer; the campaign targets developer and CI secrets, can execute without importing the package, and has persistence and exfiltration behaviors with hundreds of thousands of aggregate downloads reported.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
