Listen to this Post
Introduction
The Miasma supply chain worm has evolved once again, surfacing in a devastating new PyPI campaign dubbed Hades. In a sophisticated twist, 37 malicious wheel artifacts across 19 packages abused Python’s `.pth` startup hooks to execute a credential-stealing payload automatically upon Python interpreter startup – with no user import required – directly targeting developer secrets, CI/CD pipelines, and cloud infrastructure. This campaign marks a dangerous escalation in cross-runtime supply chain threats, weaponizing the Bun JavaScript runtime and adversarial AI evasion to operate silently within research, DevOps, and enterprise environments.
Learning Objectives
- Understand how attackers abuse Python’s `.pth` file mechanism for silent, pre-import code execution.
- Learn to detect the Hades malware across Linux and Windows using forensic commands and indicators.
- Identify key mitigation strategies, including dependency scanning, credential rotation, and supply chain hardening.
You Should Know
- Execution Without Import: Dissecting the Python `.pth` Startup Hook
The Hades campaign’s most dangerous innovation is its ability to execute malicious code without the victim ever importing the compromised package. This is achieved by embedding a `-setup.pth` file inside the Python wheel.
How it works: Python’s `site` module processes `.pth` files during interpreter initialization. Normally, these files add directories to sys.path. However, if a line in a `.pth` file begins with `import` followed by a space or tab, Python executes that line immediately upon startup. The malicious `-setup.pth` file contains an obfuscated loader that downloads the Bun runtime, executes a JavaScript stealer, and establishes persistence without any explicit `import` statement.
Step‑by‑step guide to detect this mechanism:
1. Search for suspicious `.pth` files globally:
Linux / macOS find / -1ame ".pth" 2>/dev/null | xargs grep -l "import" Windows (PowerShell as Admin) Get-ChildItem -Path C:\ -Filter .pth -Recurse -ErrorAction SilentlyContinue | Select-String "import"
2. Inspect each `.pth` file for malicious loader code: Look for lines containing URLs, os.system, subprocess, or encoded strings.
3. Check for Bun runtime artifacts: The malware downloads Bun v1.3.13 from GitHub releases. Search for `bun` binaries and _index.js:
find / -1ame "bun" -o -1ame "_index.js" 2>/dev/null
Linux/Windows Commands for Immediate Detection:
Linux: Identify recently added .pth files
find /usr/local/lib -1ame ".pth" -mtime -7 -ls
Windows: Use PowerShell to find .pth files modified in last 7 days
Get-ChildItem -Path C:\Python -Filter .pth -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)} | Select-Object FullName, LastWriteTime
Tutorial: To prevent future `.pth` abuse, consider using `python -S` to disable `site` module processing for critical scripts. However, this breaks many legitimate packages – a better approach is to implement strict dependency scanning with tools like Socket or PyPI’s Trusted Publishers mechanism.
- From Python to Bun: The Cross-Runtime Payload Chain
The Hades malware does not rely on pre-installed Node.js or Python runtimes. Instead, it bootstraps its own JavaScript runtime – Bun – to execute a heavily obfuscated credential stealer named _index.js. This technique bypasses traditional runtime detection and allows the malware to operate in minimal environments like CI runners.
Step‑by‑step guide to analyze the execution chain:
- Monitor outgoing network connections for Bun download attempts (GitHub releases). Use `tcpdump` or Sysmon:
Linux sudo tcpdump -i eth0 -1 'host github.com and port 443'
2. Check for Bun processes running unexpectedly:
Linux ps aux | grep -E 'bun|_index.js' Windows Get-Process -1ame "bun", "node" -ErrorAction SilentlyContinue
3. Analyze JavaScript stealer behavior: The stealer exfiltrates credentials for GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, AWS, GCP, Azure, Kubernetes, Docker configs, SSH keys, shell histories, `.env` files, .npmrc, .pypirc, and Claude/MCP configurations.
Commands to sweep for exposed credentials:
Linux: Search for common credential files find /home -type f ( -1ame ".env" -o -1ame ".npmrc" -o -1ame ".pypirc" -o -1ame ".aws/credentials" -o -1ame ".ssh/id_" ) 2>/dev/null Windows: Search for credential files Get-ChildItem -Path $env:USERPROFILE -Include ".env", ".npmrc", ".pypirc" -Recurse -Force -ErrorAction SilentlyContinue
Configuration Hardening:
- Use short-lived credentials: Implement AWS STS, GCP OAuth2 tokens, and Azure Managed Identities to limit exposure windows.
- Restrict CI/CD secret scope: Never use repository-scoped tokens that grant broad permissions. Adopt GitHub Environments with strict branch protection rules.
- Block Bun downloads in CI: Add firewall rules or egress controls to prevent
curl/wgetcalls to GitHub releases from build runners.
- The Credential Harvesting Sweep: Targets, Techniques, and Exfiltration
The Hades stealer is a multi‑target credential harvester optimized for developer and CI/CD environments. It sweeps for over 15 categories of secrets, writes them to a temporary location, and exfiltrates them to attacker-controlled public GitHub repositories with Hades-themed descriptions (e.g., “Hades – The End for the Damned”).
Key targeted credential types:
- GitHub: Personal Access Tokens (
ghs_,github_pat_), GitHub Actions runner secrets - Cloud providers: AWS keys, GCP service account JSON, Azure CLI tokens
- Package registries: PyPI API tokens, npm tokens, RubyGems API keys, JFrog credentials
- Orchestration: Kubernetes service account tokens, Vault tokens
- Developer tools: SSH private keys, shell history files, Claude/MCP configurations
Step‑by‑step guide to detect and block exfiltration:
- Review GitHub audit logs for unexpected repository creations:
gh api /orgs/ORG_NAME/audit-log --jq '.[] | select(.action=="repo.create")'
- Implement egress filtering to block uploads to non-approved GitHub repositories:
– Use AWS Network Firewall or Azure Firewall with domain lists
– Block outbound HTTPS to `raw.githubusercontent.com` except for trusted sources
3. Deploy a canary token system – create fake `.env` files with unique strings (e.g., CANARY_TOKEN=HONEYPOT) and monitor logs for their access.
Linux/Windows detection commands:
Linux: Find recently accessed credential files find /home -type f ( -1ame ".env" -o -1ame ".aws/credentials" -o -1ame ".ssh/id_rsa" ) -amin -60 2>/dev/null Windows: Check for suspicious outbound connections netstat -ano | findstr "ESTABLISHED" | findstr "github.com"
- Linux, Windows & Cloud Hardening: Defensive Commands and Configurations
Linux Hardening:
- AppArmor/SELinux: Create profiles to block `bun` execution:
sudo aa-complain /usr/local/bin/bun Or enforce with custom profile
- Restrict Python .pth execution: Use `sitecustomize.py` to disable `.pth` imports:
import sys if hasattr(sys, 'real_prefix') or sys.prefix != sys.base_prefix: Running in virtual env – skip global .pth files pass
Windows Hardening:
- PowerShell Constrained Language Mode: Enforce for CI/CD runners:
$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"
- Block Bun via AppLocker: Create a rule to deny execution of `bun.exe` from temp directories:
New-AppLockerPolicy -RuleType Exe -User Everyone -Path "%TEMP%\bun.exe" -Action Deny
Cloud & CI/CD Hardening:
- Implement PyPI Trusted Publishers: Use OIDC instead of API tokens for PyPI uploads.
- Enforce dependency scanning in CI pipelines:
GitHub Actions example</li> <li>name: Scan for malicious PyPI packages uses: socketdev/scan-action@v3 with: fail-on: "high,malicious"
- Rotate all secrets immediately if compromise is suspected. Use a systematic approach:
- Revoke GitHub tokens via `gh auth token –revoke`
2. Rotate AWS keys: `aws iam create-access-key –user-1ame USER`
3. Invalidate PyPI tokens via `pypi.org` and regenerate
4. Replace all `.env` values and restart services
- The AI Evasion Twist: How Hades Manipulates LLM-Based Security Scanners
In a “significant conceptual shift,” the Hades attackers included adversarial prompt injection at the top of their malicious files. This text instructs AI‑based code analyzers to ignore the hidden payload, classify the package as “verified and clean,” and generate false‑negative reports.
Step‑by‑step guide to mitigate AI-based evasion:
- Never pass raw code to LLMs without sandbox isolation. Always pre‑process code to strip comments and prompt-like instructions.
- Deploy rule‑based scanners first (e.g., static analysis regex) before using LLM-based detection.
- Monitor LLM output for confidence scores – sudden high-confidence “clean” verdicts on obfuscated code should trigger manual review.
Example command to strip suspicious prompt injection lines:
Remove lines containing common prompt injection patterns sed -i '/ignore the.below/d' ./_index.js
What Undercode Say:
- Key Takeaway 1: The Hades attack fundamentally breaks the assumption that malware requires an explicit `import` to execute. By abusing Python’s `.pth` startup hooks, attackers can compromise systems at the earliest possible moment – before any security tooling that monitors imports can react.
- Key Takeaway 2: Cross‑runtime attacks (Python → Bun → JavaScript) are rapidly becoming the new normal. Attackers no longer rely on pre‑installed runtimes, instead bootstrapping their own to bypass environment assumptions, logging controls, and package manager restrictions. This requires defenders to shift from runtime‑specific protections to behavioral and network‑based detection.
Analysis: The Hades campaign represents a convergence of three dangerous trends: supply chain persistence via account takeover, ecosystem‑agnostic execution via bootstrapped runtimes, and adversarial AI evasion. For organizations, the risk is immediate and severe – a single poisoned dependency in a CI pipeline can expose cloud infrastructure, source code, and publishing credentials simultaneously. Traditional security controls are insufficient; what’s needed is a combination of pre‑install behavioral sandboxing, short‑lived credential adoption, and continuous monitoring for anomalous outbound data transfers. The attackers’ use of Greek mythology branding and GitHub exfiltration repositories is a distraction – the core innovation here is the `.pth` startup hook, which PyPI and Python maintainers must now consider deprecating or restricting.
Prediction:
- -1 Supply chain attacks will shift away from import‑time execution to startup‑time hooks across every major language ecosystem (npm install hooks, Ruby Bundler hooks, Go mod hooks). This will render most existing security scanners obsolete within 12 months.
- -1 Adversarial AI evasion will become a standard feature in malware toolkits, forcing LLM‑based security vendors to implement pre‑processing isolation layers that strip out prompt injection text. Vendors failing to do so will face mass false‑negative incidents.
- +1 The PyPI community will likely respond by implementing signature‑based `.pth` file validation or deprecating import‑style lines in `.pth` files entirely, similar to how Python 3.11 restricted `__pycache__` execution. This positive change will reduce the attack surface for future campaigns.
- -1 Small to mid‑sized organizations without dedicated security teams will remain vulnerable for 6‑9 months post‑disclosure, as credential rotation and dependency audits require manual effort they cannot afford. Expect a wave of follow‑on breaches as stolen Hades credentials are used for lateral movement and backdoor implants.
▶️ Related Video (76% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Mohit Hackernews – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
