Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave
A coordinated supply chain attack compromised 19 PyPI packages, utilizing malicious .pth files to achieve execution at Python startup. The loader downloads the Bun runtime to execute an obfuscated JavaScript stealer targeting developer secrets, cloud credentials, and CI/CD tokens, exfiltrating data via GitHub repositories and Actions.
- filename_index.jsObfuscated JavaScript payload dropped and executed by the Bun runtime
- filename/tmp/.bun_ranSentinel file created by the loader to prevent repeated execution on Linux/macOS
- pypi_packagecoolboxHigh-impact compromised bioinformatics PyPI package
- pypi_packagedynamo-releaseHigh-impact compromised bioinformatics PyPI package
- pypi_packagespateo-releaseHigh-impact compromised bioinformatics PyPI package
- pypi_packageufishHigh-impact compromised bioinformatics PyPI package
- sha256c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275cMalicious *-setup.pth loader file identical across all affected artifacts
- sha256dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efeObfuscated _index.js payload (Variant 1)
- sha256e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17dObfuscated _index.js payload (Variant 2)
- urlhxxps://api[.]anthropic[.]com/v1/apiLegitimate Anthropic API endpoint abused as network camouflage for exfiltration traffic
Detection / HunterGoogle
What Happened
Attackers took over a developer's account to publish malicious versions of 19 Python packages, primarily bioinformatics tools. When installed, these packages automatically run hidden code every time Python starts, downloading a tool called Bun to run a password-stealing script. This script hunts for sensitive passwords, cloud access keys, and developer tokens, sending them back to the attackers through hidden GitHub repositories. Anyone who downloaded these specific package versions should immediately remove them and change all their passwords and access keys.
Key Takeaways
- Attackers compromised 19 PyPI packages via maintainer account takeover, publishing 37 malicious wheels.
- The malware abuses Python's .pth file feature to achieve automatic execution during interpreter startup.
- The loader downloads the Bun JavaScript runtime to execute a heavily obfuscated JavaScript payload (_index.js).
- The payload acts as a broad credential stealer targeting developer secrets, cloud infrastructure keys, and CI/CD tokens.
- Exfiltration occurs via GitHub repositories using Hades-themed markers, with Anthropic API requests used as network camouflage.
Affected Systems
- Python environments
- CI/CD pipelines
- Developer machines (macOS, Linux, Windows)
- Bioinformatics tools (dynamo-release, spateo-release, coolbox, ufish)
Attack Chain
The attacker compromises a PyPI maintainer account and publishes malicious wheels containing a *-setup.pth file and an obfuscated _index.js payload. Upon Python interpreter startup, the .pth file executes automatically, downloading the Bun JavaScript runtime from GitHub. Bun is then used to execute the _index.js payload, which decrypts itself and steals a wide array of developer, cloud, and CI/CD credentials. Finally, the stolen data is exfiltrated by creating public GitHub repositories and uploading the data as encrypted commits or GitHub Actions artifacts.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides behavioral indicators, static string patterns, and file paths for detection, but does not include pre-formatted detection rules.
Detection Engineering Assessment
EDR Visibility: Medium — EDR will likely detect the anomalous process tree (Python spawning Bun) and subsequent network connections, but the initial .pth file drop may blend in with legitimate package installations.
Network Visibility: Medium — Downloads from GitHub and exfiltration to GitHub use standard TLS, making payload inspection difficult. The Anthropic API traffic is camouflage but observable.
Detection Difficulty: Moderate — While the behavior (Python -> Bun -> Network) is highly anomalous, the use of legitimate platforms (GitHub, PyPI) and legitimate features (.pth files) complicates static detection.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- File Creation (Sysmon 11)
- Network Connections (Sysmon 3)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
Consider hunting for Python processes spawning bun or bun.exe as child processes, which is highly unusual and indicates potential runtime staging. | Process Creation | Execution | Low |
If you have file creation visibility, look for Python processes writing .zip files to temporary directories and subsequently extracting binaries. | File Creation | Command and Control | Medium |
Evaluate network telemetry for bun or Node-like runtimes making outbound HTTPS connections to api.anthropic.com/v1/api, which this campaign uses for network camouflage. | Network Connections | Exfiltration | Low |
Consider hunting for the creation of hidden persistence files in developer directories, such as ~/.config/gh-token-monitor/ or .claude/setup.mjs. | File Creation | Persistence | Low |
Control Gaps
- Standard dependency vulnerability scanners (SCA) may not detect malicious behavior in newly published package versions.
- Network egress filtering often allows traffic to GitHub, facilitating both payload staging and exfiltration.
Key Behavioral Indicators
- Python interpreter spawning a JavaScript runtime (Bun)
- Execution of
.pthfiles containingsubprocess.runorurllib.request - Creation of
.bun_ransentinel files in temporary directories
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and remove any installations of the affected PyPI packages (e.g., dynamo-release, coolbox, ufish) from developer machines and CI/CD environments.
- Rotate all potentially exposed credentials on affected machines, prioritizing GitHub tokens, cloud provider keys (AWS, GCP, Azure), and package registry tokens.
Infrastructure Hardening
- Consider implementing strict egress network filtering on CI/CD runners to prevent unauthorized downloads of external runtimes like Bun.
- Evaluate whether dependency pinning and hash-checking can be enforced in your build pipelines to prevent automatic ingestion of compromised package updates.
User Protection
- If your EDR supports it, consider creating behavioral rules to alert on Python processes spawning unexpected child runtimes (e.g., Bun, Node).
- Evaluate implementing local credential vaults or short-lived tokens to minimize the impact of developer machine credential theft.
Security Awareness
- Consider training developers on the risks of supply chain attacks and the importance of reviewing dependency updates before installation.
- Remind engineering teams to report anomalous application behavior, such as unexpected terminal windows or unusual CPU usage during Python execution.
MITRE ATT&CK Mapping
- T1078 - Valid Accounts
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1546 - Event Triggered Execution
- T1059.006 - Command and Scripting Interpreter: Python
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1105 - Ingress Tool Transfer
- T1027 - Obfuscated Files or Information
- T1552.004 - Unsecured Credentials: Private Keys
- T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository
Additional IOCs
- File Paths:
%TEMP%\.bun_ran- Sentinel file created by the loader to prevent repeated execution on Windows/tmp/b.zip- Downloaded Bun runtime archive on Linux/macOS%TEMP%\b.zip- Downloaded Bun runtime archive on Windows/tmp/b/bun- Extracted Bun runtime executable on Linux/macOS%TEMP%\b\bun.exe- Extracted Bun runtime executable on Windows~/.config/gh-token-monitor/- Persistence directory created by the payload~/.local/bin/gh-token-monitor.sh- Persistence script created by the payload~/.config/systemd/user/gh-token-monitor.service- Systemd service created for persistence~/Library/LaunchAgents/com.github.token-monitor.plist- macOS LaunchAgent created for persistence~/.local/share/updater/update.py- Follow-on artifact dropped by the payload.claude/setup.mjs- Claude/MCP configuration persistence artifact.github/setup.js- GitHub Actions persistence artifact.github/workflows/codeql.yml- Modified GitHub Actions workflow file
- Command Lines:
- Purpose: Executes the obfuscated JavaScript payload using the downloaded Bun runtime | Tools:
bun| Stage: Execution |bun run _index.js
- Purpose: Executes the obfuscated JavaScript payload using the downloaded Bun runtime | Tools:
- Other:
bramin- Compromised PyPI packagecmd2func- Compromised PyPI packageexecutor-engine- Compromised PyPI packageexecutor-http- Compromised PyPI packagefuncdesc- Compromised PyPI packagemagique- Compromised PyPI packagemagique-ai- Compromised PyPI packagemrbios- Compromised PyPI packagenapari-ufish- Compromised PyPI packagenucbox- Compromised PyPI packageokite- Compromised PyPI packagepantheon-agents- Compromised PyPI packagepantheon-toolsets- Compromised PyPI packagesynago- Compromised PyPI packageuprobe- Compromised PyPI packageIfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully- GitHub commit marker used for exfiltrationHades - The End for the Damned- GitHub repository description used for exfiltrationRun Copilot- Malicious GitHub Actions workflow nameformat-results- Malicious GitHub Actions artifact name
