New Variant of Ongoing Campaign
A new wave of supply chain attacks, designated Hades, has been detected in the Python Package Index (PyPI) registry. The attack involved 37 malicious wheel artifacts distributed across 19 packages. This latest campaign is a direct evolution of the previously documented Miasma and Mini Shai-Hulud attack chains, which have been progressively refined to target specific software ecosystems. The attackers have shifted their operational markers, changing the description of the data exfiltration repository from references to “Miasma” to “Hades: The End for the Damned.”
Infection Mechanism and Payload
The compromised package versions shipped with a file named `*-setup.pth`. This file is designed to execute automatically whenever Python starts up. The initial execution downloads the Bun JavaScript runtime, a modern alternative to Node.js. The downloaded Bun runtime is then used to run a heavily obfuscated JavaScript payload called `_index.js`. This multilayered approach helps the malware evade detection while establishing a foothold on the developer’s system.
Scope of Data Harvesting
Once activated, the JavaScript stealer is capable of harvesting a wide range of sensitive information from infected development environments. The targeted data includes credentials and secrets for major platforms such as GitHub, npm, PyPI, RubyGems, and JFrog, as well as cloud providers like AWS, GCP, and Azure. Additionally, the stealer searches for Docker configurations, SSH keys, shell histories, environment files, and CI/CD runner accessible credentials. The breadth of targeted data indicates the attackers are focused on compromising software supply chains by stealing the keys to critical development and deployment infrastructure.
Source: The Hacker News
