In a nutshell: 37 poisoned Wheel artifacts in 19 PyPI packages exploit .pth files to automatically execute a credential stealer upon Python import.
A new wave of supply-chain attacks called Hades has distributed 37 malicious Wheel artifacts across 19 compromised Python packages in PyPI. The malware uses .pth files for automatic code execution on import.
The Miasma supply-chain campaign has triggered a new attack wave named Hades, which distributed 37 malware-infected Wheel artifacts across 19 packages in the Python Package Index (PyPI). The attack follows the pattern of earlier, highly sophisticated supply-chain attacks that deliberately target specific ecosystems.
The compromised releases contained .pth files (Python Path files) that executed code automatically. Attackers used this mechanism to launch a credential stealer – a malware variant named Bun designed to extract login credentials. Python processes .pth files automatically on import, enabling very early and difficult-to-trace code injection into an application’s runtime cycle.
For CTOs, this attack represents a significant risk: dependency management becomes a critical control point. Recommended countermeasures include implementing dependency-scanning tools, checking package metadata for anomalies (unusual maintainer activity, sudden new releases), and restricting installations to trusted or internally managed registry mirrors. Additionally, access protection measures such as API token rotation and deployment of secrets-management systems should be intensified.
Source: thehackernews.com · Published 9 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.