CRITICAL ⚡ MUST-KNOW
Shai-Hulud / Hades Supply Chain Campaign Hits 100+ npm and PyPI Packages
The ongoing Shai-Hulud supply chain campaign has spawned two new attack waves — Miasma (targeting GitHub/npm) and Hades (targeting PyPI) — compromising over 100 packages across both ecosystems. The Hades variant placed 37 malicious wheel artifacts across 19 PyPI packages; each shipped a *-setup.pth file that executes automatically on Python environment startup to run a Bun-based credential stealer. The self-propagating attack design is being actively refined and specialized to target individual ecosystems separately. Developers should audit installed packages for unexpected .pth files and verify package integrity against published checksums; remove any packages released by the affected maintainers since the campaign began.