Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

A coordinated attack on the Python Package Index (PyPI) involved the compromise of 37 malicious wheel artifacts across 19 packages, utilizing a setup.pth file to execute a JavaScript payload via the Bun runtime during Python startup. This attack, identified by Socket's AI malware detection system, is part of the Shai-Hulud/Miasma lineage, characterized by its cross-runtime capabilities and sophisticated obfuscation techniques. The payload targets sensitive developer and CI/CD credentials, leveraging GitHub for exfiltration with new Hades-themed markers. This incident highlights the vulnerabilities in trusted package channels, as attackers exploited Python's .pth file execution to trigger malicious activities upon installation. The attack affected established bioinformatics tools and underscores the need for vigilance in managing dependencies and credentials across ecosystems. PyPI has quarantined some compromised releases, and affected organizations are advised to remove malicious versions, rebuild environments, and rotate credentials to mitigate potential damage.