A recently discovered variant of the Mini Shai-Hulud supply chain malware, dubbed Hades, was discovered in 23 new PyPI package versions targeting bioinformatics and Artificial Intelligence-themed packages, Socket reported Monday. Socket first reported on the Hades variant on Sunday, when it discovered 37 malicious PyPI artifacts across 19 packages similarly targeting bioinformatics software. The variant is named for Hades and Greek mythology-themed markers found in the GitHub repositories used by the malware to exfiltrate stolen data.
Hades follows the same pattern as TeamPCP’s Mini Shai-Hulud malware, downloading the Bun JavaScript runtime to execute a JavaScript stealer that targets developer workstations and CI/CD environments for secrets such as package registry tokens, SSH keys, cloud secrets and other credentials, Socket said. Unlike the original Mini Shai-Hulud, which has targeted npm and PyPI packages, and the Miasma variant, which focused on npm, Hades appears to be specifically adapted for the PyPI ecosystem. The first wave of 37 malicious wheel artifacts used a .pth startup hook (*-setup.pth) to download Bun and execute the bundled JavaScript payload (_index.js) at every Python startup, similar to an npm install hook.
Some package versions in the latest wave also use this delivery pattern, while others embed the malicious execution path inside a compiled .abi.so extension, Socket researchers explained. In those cases, the JavaScript payload runs when Python imports the package and loads the extension, making detection harder because the malicious component is not apparent when scanning the package’s .py files. A third delivery method appeared in langchain-core-mcp, which uses the .pth startup hook to search sys.path for the JavaScript payload without bundling the payload itself, suggesting a split delivery strategy in which the package acts as a loader.
The _index.js stealer payload used in the latest attacks includes an apparent prompt injected at large language model analysis tools at the beginning of the code. The text instructs the large language model to assist with the production of biological and nuclear weapons, likely attempting to trigger a refusal by Artificial Intelligence systems to perform the analysis, Socket researchers said. Hades infected legitimate bioinformatics utilities including embiggen, ensmallen, gpsea, phenopacket-store-toolkit, ppkt2synergy and pyphetools, while attackers also created typosquatted packages such as langchain-core-mcp, rsquests, tlask and rlask. Socket continues to track the latest Mini Shai-Hulud-related attacks, which have affected a total of 473 package artifacts across npm and PyPI since June 1, 2026.
