socket.dev web signal

Hades Cluster Backdoors 19 PyPI Research Packages

cybersecurity open source supply-chain cybersecurity python

Key insights

  • Socket found 37 malicious PyPI wheels across 19 packages that execute a .pth startup file at interpreter launch, requiring no user import.
  • The Hades cluster steals credentials from GitHub Actions, AWS, GCP, Azure, Kubernetes, publishing pipelines (npm, PyPI, JFrog), and Claude/MCP configs.
  • Affected packages include widely used bioinformatics tools with low-to-mid hundreds of thousands of cumulative downloads, broadening the attack surface into research computing.

Why this matters

The .pth startup hook mechanism fires before any package import, meaning the malicious payload executes without any user action beyond having the package installed. Targeting bioinformatics tools with low-to-mid hundreds of thousands of cumulative downloads concentrates the attack on research and academic environments that feed data-intensive CI/CD pipelines. The credential sweep spans GitHub Actions secrets, AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, Kubernetes service-account tokens, and publishing credentials for npm, PyPI, and RubyGems, meaning a single compromised developer environment could expose both cloud infrastructure and software supply chains.

Summary

Socket found 37 malicious wheels across 19 PyPI packages, including bioinformatics tools dynamo-release, spateo-release, and coolbox, which carry low-to-mid hundreds of thousands of combined downloads. Each compromised release bundles a *-setup.pth file that fires at Python interpreter startup, no import needed. It downloads Bun v1.3.13 and runs a JavaScript stealer sweeping for GitHub Actions secrets, AWS, GCP, Azure, Kubernetes, SSH keys, shell histories, and Claude/MCP configs. Essentially: (Socket Research Team) ties this Hades cluster to the Mini Shai-Hulud/Miasma lineage, now using Greek underworld markers (Styx, Tartarus, Cerberus) instead of the campaign's earlier Zelda references. - Malicious repos carry the description "Hades - The End for the Damned" and a workflow named "Run Copilot" to blend with legitimate automation. - A commit marker reading "IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully" was planted to deter incident responders from revoking stolen tokens. Targeting established research tools with large install bases is deliberate: those environments feed CI/CD pipelines stocked with cloud and publishing credentials.

Potential risks and opportunities

Risks

  • Developers who installed compromised versions of dynamo-release, spateo-release, or coolbox before June 7, 2026 may have exposed AWS, GCP, and Azure credentials, leaving cloud environments at risk until full secret rotation is confirmed.
  • The IfYouYankThisTokenItWillNukeTheComputerOfTheOwnerFully commit marker signals attackers anticipated incident response and may have staged stolen tokens in separate infrastructure before defenders could rotate them.
  • Research and academic institutions that installed affected packages via automated dependency updates face credential exposure across SSH keys, shell histories, and cloud CLI caches, all categories Socket confirmed the stealer actively sweeps.

Opportunities

  • PyPI security vendors like Socket, and competitors offering pre-install behavioral sandboxing, gain a documented case of .pth startup hook abuse that highlights the limits of import-time-only scanning.
  • Cloud providers promoting short-lived credential services, including AWS STS (an explicitly targeted credential type in the Hades sweep), can use this incident to accelerate time-limited token adoption in research computing environments.
  • Bioinformatics platform vendors serving labs that depend on dynamo-release or spateo-release can differentiate on supply-chain hardening by offering verified-clean package mirrors and automated credential rotation workflows.

What we don't know yet

  • Whether bioinformatics organizations using dynamo-release or spateo-release have confirmed active credential exfiltration before Socket's June 7, 2026 disclosure.
  • Attribution beyond the Shai-Hulud/Miasma lineage pattern: no threat actor group, nation-state affiliation, or financial motive is named in Socket's disclosure.
  • How many developer environments executed the malicious .pth payload before PyPI removal, given the packages carried low-to-mid hundreds of thousands of cumulative downloads.

Originally reported by socket.dev

Read the original article →

Original headline: Hades Cluster PyPI Worm Abuses Python Startup Hooks — 37 Malicious Wheels Across 19 Packages Harvest CI/CD Credentials