Massive PyPI Supply Chain Attack Staged via Malware Startup Hooks

Overview of the Global Fraud Threat

Cybersecurity researchers have just detected a dangerous software campaign targeting Python developers. A coordinated PyPI supply chain attack compromised multiple popular open-source packages. Threat actors successfully injected malicious code directly into legitimate repositories via a maintainer account takeover. Fortunately, automated Socket malware detection systems identified the malicious cluster minutes after publication. This breach represents an alarming shift in ecosystem-specific attack strategies. Consequently, software engineers must immediately check their deployment pipelines to prevent data theft.

Inside the Hades Cluster

The newly discovered malware branch uses unique Greek mythology references for its operational markers. Analysts have named this specific threat group the Hades cluster. However, this intrusion is not an isolated incident. Instead, it belongs to the notorious Shai-Hulud and Miasma malware lineage. The broader campaign has moved rapidly across different open-source ecosystems over the past few days. In fact, security trackers are currently monitoring 448 affected artifacts spanning both npm and PyPI registries.

Exploiting the Python Startup

The architecture of this PyPI supply chain attack relies on an automated execution trigger. Specifically, the compromised releases contain a hidden configuration file. As noted in the technical report:

“The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js.”

This method means that the malware runs instantly without requiring an explicit package import. Therefore, any local test run or CI/CD job will inadvertently bootstrap the payload.

Why .pth Files Pose Severe Risks

Historically, developers used .pth files to add directory paths to the system environment. However, the Python interpreter natively executes lines starting with an import statement during initialization. This legacy feature gives threat actors a powerful backdoor. Consequently, an attacker can turn a passive background dependency into an active weapon. This behavior represents the Python equivalent of the dangerous npm install-hook exploitation. Thus, the initial installation step creates an immediate execution edge before anyone reviews the code.

The Cross-Runtime Execution Trick

Once the startup hook triggers, the installer fetches an unexpected execution environment. Specifically, the loader downloads a standalone copy of the Bun JavaScript runtime directly from GitHub. This cross-runtime approach allows the malware to run complex JavaScript payloads on a Python system. Furthermore, the creators do not assume that Node.js or Python environments are already configured. As the report highlights:

“That Bun dependency is a key fingerprint of this family: Shai-Hulud-style payloads do not assume Node.js, Python, or another local runtime will be available.”

Instead, they build their own isolated execution engine inside local temporary directories.

Massive Secret Harvesting Capabilities

The underlying JavaScript payload executes a sweeping sweep for highly sensitive credentials. For example, the code searches aggressively for cloud authentication tokens and private SSH keys. The extensive target list includes major platforms like AWS, Google Cloud, Azure, and Kubernetes. Additionally, it harvests access tokens for package registries like npm and PyPI. By stealing these credentials, the hackers can easily deepen their access or propagate further attacks.

Stealthy Exfiltration Over GitHub

To steal this information quietly, the malware uses legitimate cloud platforms as network camouflage. For instance, it sends decoy traffic to Anthropic AI servers to confuse network logs. Meanwhile, the actual exfiltration occurs directly through automated GitHub interactions. The payload automatically creates public code repositories to host the stolen data envelopes. These fraudulent repositories use specific descriptions like Hades - The End for the Damned.

Targeted Communities and Remediation

This dangerous PyPI supply chain attack heavily impacts specific scientific research circles. In particular, the compromised wheels hit several established bioinformatics and deep-learning toolkits. These tools boast hundreds of thousands of cumulative downloads. Fortunately, proactive Socket malware detection helped isolate the remaining threats before widespread damage occurred. To stay safe, organizations must immediately remove the infected packages and completely rotate all exposed developer credentials.