Hades Campaign: Sophisticated Supply Chain Attack Targets Python Ecosystem

Severity: High (Score: 69.8)

Sources: www.stepsecurity.io, Csoonline, socket.dev, Letsdatascience

Published: 2026-06-11 · Updated: 2026-06-11

Keywords: hades, supply, chain, data, malware, pypi, attack

Severity indicators: supply chain attack, supply chain, malware, credentials

Summary

The Hades Campaign is a significant supply chain attack targeting the Python ecosystem, disclosed on June 8, 2026. It compromises 26 packages that execute malicious code upon interpreter startup, harvesting cloud credentials like AWS keys and GitHub tokens. The malware employs a hidden hook in .pth files to download a JavaScript runtime and scrape sensitive data from memory across all major operating systems. The attack's sophistication lies in its ability to evade detection by AI security tools through adversarial prompt injection. The campaign is ongoing, with active exploitation reported, affecting developers and organizations using Python packages in machine learning and bioinformatics. The threat actors utilize GitHub for data exfiltration, making the attack a self-replicating worm capable of further spreading through compromised publishing credentials. Key Points: • Hades Campaign targets Python environments, executing malicious payloads on interpreter startup. • The attack harvests sensitive credentials from memory across Linux, macOS, and Windows systems. • Malware evades detection by AI security tools, posing a significant risk to developers and organizations.

Detailed Analysis

**Impact** The campaign affected at least 26 Python packages across 37 malicious wheel files, impacting data science, machine learning, bioinformatics, and computational biology sectors globally. Victims include developers and CI environments using PyPI packages, with stolen credentials covering AWS keys, GitHub tokens, and SSH credentials. The malware’s worm-like propagation enables rapid spread by pushing poisoned packages, increasing risk to open-source supply chains and cloud infrastructure. Data exfiltrated includes sensitive cloud and repository credentials, threatening operational security and intellectual property. **Technical Details** The attack vector leverages malicious `.pth` files and obfuscated scripts embedded in Python packages, triggering on interpreter startup without any explicit import. It deploys the Bun JavaScript runtime (versions 1.3.13 and 1.3.14) to execute a multi-component encrypted payload that scrapes memory across Linux, macOS, and Windows for credentials. The malware exfiltrates data to attacker-controlled GitHub repositories named with “stygian-cerberus-*” and “tartarean-charon-*” patterns. It includes a persistence daemon (`gh-token-monitor`) that monitors stolen GitHub tokens and threatens destructive action if revoked. The payload uses adversarial prompt injection to evade LLM-based security scanners. No CVEs exploited were specified. **Recommended Response** Isolate affected systems immediately to prevent lateral spread before rotating credentials to avoid triggering the malware’s destructive response. Monitor for `.pth` files with obfuscated imports and unusual network traffic to GitHub repositories matching known naming patterns. Harden Python environments by restricting or auditing package installations, and deploy detection rules for Bun runtime execution and memory scraping behaviors. Enhance LLM-based security tools with strict boundary isolation to prevent prompt injection evasion.

Source articles (4)

• Meet Hades: The malware that lies to AI security agents — Csoonline · 2026-06-09
  Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself. The newly-discovered Hades Campaign is a “highly sophisticated” supply chain com…
• Hades PyPI Supply Chain Attack: 26 Packages Steal Cloud Credentials | Let's Data Science — Letsdatascience · 2026-06-11
  A data scientist installs a graph-machine-learning package, runs nothing, and walks away. The time any Python process starts on that machine, a hidden hook reaches out to GitHub, pulls down a JavaScri…
• The Hades Campaign Pypi Packages — www.stepsecurity.io · 2026-06-11
• Shai-Hulud Descends to Hades: Miasma PyPI Wave — socket.dev · 2026-06-11

Timeline

• 2026-06-08 — Hades Campaign disclosed: Orca Security revealed the Hades Campaign, detailing its methods and impact on Python packages.
• 2026-06-09 — Hades malware identified: CSO Online reported on the sophisticated tactics of the Hades malware, including its ability to evade AI detection.
• Recent — Ongoing exploitation reported: The Hades malware remains active, with ongoing credential harvesting and potential for further spread.

Related entities

• Miasma (Malware)
• Malware (Attack Type)
• Supply Chain Attack (Attack Type)
• Worm (Attack Type)
• Hades Campaign (Campaign)
• Mini Shai-Hulud Campaign (Campaign)
• Hades (Campaign)
• Mistral AI (Company)
• Orca Security (Company)
• Red Hat (Company)
• StepSecurity (Company)
• TanStack (Company)
• UiPath (Company)
• AWS (Company)
• PyTorch Lightning (Platform)
• GitHub (Platform)
• Linux (Platform)
• MacOS (Platform)
• OIDC (Platform)
• PyPI (Platform)
• Windows (Platform)
• CWE-200 - Exposure of Sensitive Information (Cwe)
• socket.dev (Domain)
• T1003 - OS Credential Dumping (Mitre Attack)
• T1021 - Remote Services (Mitre Attack)
• T1027 - Obfuscated Files Or Information (Mitre Attack)
• T1055 - Process Injection (Mitre Attack)
• T1059.003 - Windows Command Shell (Mitre Attack)
• T1059.007 - JavaScript (Mitre Attack)
• T1071.001 - Web Protocols (Mitre Attack)
• T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
• T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
• T1567 - Exfiltration Over Web Service (Mitre Attack)
• GitHub Actions (Tool)
• Npm (Tool)
• Python (Tool)
• SCP (Tool)
• Sigstore (Tool)
• Bun (Tool)
• Gh-token-monitor (Tool)