Skip to content

Hades Campaign: 19 PyPI Packages Compromised with Automatic Credential Stealer

The gist: The Hades campaign exploits manipulated PyPI packages with automatically executing setup files to steal Bun login credentials in the Python supply chain.

In a new attack wave of the Miasma campaign, 37 malicious wheel artifacts were distributed across 19 packages in the Python Package Index (PyPI), automatically executing a Bun credential stealer via *-setup.pth files.

The latest attack wave of the Miasma campaign, named Hades, comprises 37 malicious wheel artifacts distributed across 19 packages in the Python Package Index. The malware arsenal is delivered via *-setup.pth files, which are automatically executed upon installation without requiring further user interaction.

The compromise targets developers who install these manipulated packages as dependencies. This continues the Miasma campaign’s strategy of conducting supply-chain attacks in specific ecosystems while stealing credentials for the Bun project (a JavaScript runtime).

For CTOs and security officers, this represents an expanded attack surface: PyPI remains a preferred target for credential harvesting in Python environments. Automatic execution via setup files bypasses traditional analysis mechanisms. Organizations should continuously monitor PyPI dependencies, particularly unknown or rarely maintained packages, and deploy integrity checks and Software Composition Analysis (SCA) tools.


Source: thehackernews.com · Published June 9, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.6.5.

Share on: