Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

2026-06-09

1 min read

by info@thehackernews.com (The Hacker News)

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

The Hades campaign exploited 19 PyPI packages containing malicious wheel artifacts designed to steal developer credentials.

•37 malicious wheels used *.pth files to auto-execute on Python startup, downloading Bun JavaScript runtime
•Stealer harvests credentials for GitHub, npm, PyPI, AWS, GCP, Azure, Kubernetes, Docker, SSH keys, and .env files
•Alternative variant in bioinformatics cluster uses obfuscated imports in __init__.py for same execution effect
•Malware includes AI defense evasion with LLM prompt injection attempts and GitHub commit querying for payload extraction
•Features include lateral spreading via SSH/SCP, GitHub secret extraction, IDE backdoors targeting Claude/Copilot, and token revocation wiper

Related Articles