PyPI Supply Chain Attack Exploits Malware Startup Hooks at Scale
- Jun 7
- 3 min read
Key Findings
Coordinated PyPI supply chain attack compromised multiple popular open-source packages through maintainer account takeover
Malware uses Python startup hooks (.pth files) to execute automatically during installation without requiring explicit package imports
448 affected artifacts identified spanning both npm and PyPI registries
Threat actors dubbed the Hades cluster, part of broader Shai-Hulud and Miasma malware lineage
Socket malware detection systems identified the malicious cluster within minutes of publication
Stolen credentials used to exfiltrate data via GitHub repositories with decoy traffic routed through Anthropic AI servers
Background
Cybersecurity researchers recently detected a coordinated campaign targeting Python developers through the PyPI package registry. Threat actors successfully compromised legitimate open-source packages by taking over maintainer accounts and injecting malicious code directly into repositories. This represents a significant escalation in ecosystem-specific attack strategies, moving rapidly across different open-source platforms over the past several days.
The Hades Cluster and Broader Context
Security analysts have named the newly discovered malware branch the Hades cluster, identifiable by unique Greek mythology references in its operational markers. However, this attack is not isolated. It belongs to the notorious Shai-Hulud and Miasma malware lineage, indicating a larger organized campaign. Security trackers are currently monitoring 448 affected artifacts spanning both npm and PyPI registries as the broader threat continues to spread.
Python Startup Hook Exploitation
The attack leverages a critical vulnerability in Python's initialization process. Compromised releases contain hidden configuration files with a .pth extension that execute automatically during Python startup. According to technical analysis, these files download the Bun JavaScript runtime and execute an obfuscated JavaScript payload named _index.js without requiring any explicit package import.
This means the malware runs instantly on any local test or CI/CD job, creating an immediate execution edge before code review occurs.
Why .pth Files Create Severe Risk
Python's legacy .pth file feature was originally designed to add directory paths to the system environment. However, the Python interpreter natively executes any lines starting with an import statement during initialization. This historical design choice gives threat actors a powerful backdoor into systems.
An attacker can transform a passive background dependency into an active weapon with a single startup hook. The behavior mirrors dangerous npm install-hook exploitation, meaning installation itself becomes the execution trigger rather than later package usage.
Cross-Runtime Execution Strategy
Once triggered, the startup hook downloads an unexpected execution environment. The loader fetches a standalone copy of the Bun JavaScript runtime directly from GitHub, enabling complex JavaScript payloads to run on Python systems. This cross-runtime approach works because the malware creators do not assume Node.js or Python environments are already configured on target machines.
Instead, they build isolated execution engines inside local temporary directories, making the attack portable across diverse development environments.
Extensive Credential Harvesting
The underlying JavaScript payload executes a comprehensive sweep for highly sensitive credentials and authentication tokens. The code actively searches for cloud authentication tokens, private SSH keys, and access credentials for major platforms including AWS, Google Cloud, Azure, and Kubernetes.
Additionally, it harvests access tokens for package registries like npm and PyPI. By stealing these credentials, attackers can deepen their access or propagate further attacks across victim organizations.
Stealthy Exfiltration Methods
The malware uses legitimate cloud platforms as network camouflage to steal information quietly. It sends decoy traffic to Anthropic AI servers to confuse network logs and intrusion detection systems. Meanwhile, actual exfiltration occurs through automated GitHub interactions.
The payload automatically creates public code repositories to host stolen data, using specific descriptions like Hades - The End for the Damned to identify malicious repositories within the attacker's infrastructure.
Targeted Impact and Response
This dangerous PyPI supply chain attack heavily impacts specific scientific research communities, particularly affecting established bioinformatics and deep-learning toolkits with hundreds of thousands of cumulative downloads. Fortunately, proactive Socket malware detection helped isolate threats before widespread damage occurred.
Organizations must immediately remove infected packages and completely rotate all exposed developer credentials. Developers should check their deployment pipelines to prevent data theft and verify that no malicious code executed on their systems during package installation.
Sources
https://securityonline.info/pypi-supply-chain-attack/
https://x.com/the_yellow_fall/status/2063526614361858194

Comments