Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
The Hades attack wave, a continuation of the Miasma supply chain campaign, has compromised 19 packages in the Python Package Index (PyPI) registry with 37 malicious wheel artifacts. The attack deploys a *-setup.pth file that executes automatically upon installation, enabling credential theft. The stealer specifically targets Bun, a JavaScript runtime, but may also harvest credentials from other environments. This incident highlights the ongoing refinement of supply chain attacks, where threat actors splinter and adapt their methods to target specific ecosystems. The malicious packages were designed to auto-run the credential stealer without user interaction, increasing the risk of widespread credential compromise. Developers who installed any of the 19 affected packages may have had their credentials exfiltrated, potentially leading to further account takeovers or data breaches. The attack underscores the need for vigilance in verifying package integrity and the importance of using trusted sources for software dependencies.
Auto-executing credential stealers in PyPI packages can compromise developer credentials and downstream systems.