A recently discovered variant of the Mini Shai-Hulud supply chain malware, dubbed “Hades,” was discovered in 23 new PyPI package versions targeting bioinformatics and AI-themed packages, Socket reported Monday.Socket first reported on the Hades variant on Sunday, when it discovered 37 malicious PyPI artifacts across 19 packages similarly targeting bioinformatics software. The variant is named for the Hades and Greek mythology-themed markers present in the GitHub repositories the malware uses for exfiltration of stolen data.Hades follows the same pattern as TeamPCP’s Mini Shai-Hulud malware, downloading the Bun JavaScript runtime to execute a JavaScript stealer that targets developer workstations and CI/CD environments for secrets such as package registry tokens, SSH keys, cloud secrets and other credentials, Socket said.Unlike the original Mini Shai-Hulud, which has targeted by npm and PyPI packages, and another variant called Miasma, which focused on npm, Hades appears to be specifically adapted for the PyPI ecosystem. The first wave of 37 malicious wheel artifacts used a .pth startup hook (*-setup.pth) to download Bun and execute the bundled JavaScript payload (_index.js) at every Python startup, similar to an npm install hook.
Related reading:
Some of the package versions in the latest wave also use this delivery pattern, while others were found to embed the malicious execution path inside a compiled .abi.so extension, Socket researchers explained. In these cases, the JavaScript payload is executed when Python imports the package and loads the extension; this is more difficult to detect, as the malicious component is not apparent when scanning the package’s .py files.A third delivery method was seen specifically in a malicious package called langchain-core-mcp, which uses the .pth startup hook to search sys.path for the JavaScript payload without bundling the payload itself with the package. This suggests a possible split delivery strategy where the payload is installed separately and langchain-core-mcp simply acts as a loader to later execute it.The _index.js stealer payload used in the latest attacks includes an apparent prompt injected targeted at large language model (LLM) analysis tools at the beginning of the code. The text instructs the LLM to assist with the production of biological and nuclear weapons, likely attempting to trigger a refusal by the AI to perform the analysis, the Socket researchers said.“This is not a magical bypass against static detection. YARA rules, entropy checks, AST parsing, string extraction, deobfuscation, and behavioral rules still work. But it is a practical anti-analysis trick against naïve LLM-first triage systems,” the researchers noted in their report.The Hades wave was found to have infected legitimate bioinformatics utilities including embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy and pyphetools. New typosquatted packages including langchain-core-mcp, rsquests, tlask, rlask and other MCP and AI-themed packages were also created by the attackers.Socket recommended defenders review Python environments for executable .pth files, recent Bun downloads, unfamiliar _index.js files and new .abi3.so extensions in response to this latest supply chain attack. Socket continues to track the latest Mini Shai-Hulud-related attacks, which have affected a total of 473 package artifacts across npm and PyPI since June 1, 2026.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds