logo

Shai-Hulud Hades PyPI Campaign: 19 Packages Trojanized via Wheel Startup Hooks

ID: cac50042-b97b-5261-a4cd-52582bfcb052

STIX ID: report--cac50042-b97b-5261-a4cd-52582bfcb052

Feed Name: SOCRadar Blog

Threat Score
85/100

Date Published: 2026-06-09

Date Updated: 2026-06-10

Author: Ameer Owda

...
...

Researchers observed a Shai-Hulud/Mini Shai-Hulud/Miasma lineage PyPI supply-chain campaign that trojanized 19 Python packages (37 wheels) by embedding .pth startup hooks which bootstrap a Bun runtime to execute an obfuscated JavaScript credential stealer; the campaign targets developer and CI secrets, can execute without importing the package, and has persistence and exfiltration behaviors with hundreds of thousands of aggregate downloads reported.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.