Hades PyPI Campaign Reveals Evolving Cross-Ecosystem Supply Chain Threats Targeting Developer Credentials and CI/CD Pipelines

The Hades wave extends the Mini Shai-Hulud and Miasma lineage by weaponizing Python's site module via *-setup.pth files, enabling automatic payload execution on interpreter startup rather than package import. This bypasses typical review processes and mirrors npm install-hook abuses but leverages Bun's lightweight runtime for stealthy JavaScript credential harvesting across GitHub, cloud providers, and bioinformatics tools. Unlike prior reports focused on package lists, the operation's Russian locale check and GitHub-centric exfiltration suggest targeted evasion of Western security scanners while probing sensitive domains like genotype analysis. Missed in initial coverage is the potential for downstream infrastructure compromise: stolen AWS, Azure, and Kubernetes tokens from developer machines could enable lateral movement into production systems, amplifying risks beyond individual accounts. Synthesizing Socket's technical breakdown with StepSecurity's observations on Bun persistence and prior Shai-Hulud analyses from 2024-2025 campaigns highlights a splintering pattern where attackers refine entry points across npm and PyPI to maintain momentum. The bioinformatics cluster using init.py hooks further indicates domain-specific targeting that could expose proprietary research data, a vector overlooked in registry-focused alerts.