Home/News/Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
The Hacker News2 min read

Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

The Hades campaign poisoned 19 packages in the Python Package Index (PyPI) registry with 37 malicious wheel artifacts this week, continuing a trend of refined and splintered supply chain attacks. These compromised releases included a *-setup.pth file designed to execute automatically upon installation. The malware's primary objective is to steal Bun JavaScript runtime credentials. This attack vector leverages a technique similar to the "Mini Shai-Hulud" campaign, which previously targeted developers by injecting malicious code into popular software libraries. The Hades campaign specifically targets developers using the Bun runtime, indicating a growing sophistication in supply chain attacks that aim to compromise specific development environments and steal sensitive information. The discovery highlights ongoing vulnerabilities within open-source package repositories and the persistent threat of malicious actors exploiting them to distribute malware.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next