Hades PyPI Campaign Poisons 19 Packages with .pth Startup Hooks - Bun Credential Stealer and AI Scanner Misdirection

Detected on June 7–8, 2026, the Hades wave of the Miasma supply-chain campaign shipped 37 malicious wheel artifacts across 19 PyPI packages spanning bioinformatics, graph-ML, deep-learning, and developer-tooling ecosystems. There is no single CVE; defenders track it as the Hades campaign in the Miasma lineage. Its defining move is a *-setup.pth startup hook that runs a Bun-launched credential stealer on every Python invocation - without the victim ever importing the package - paired with prompt-injection text and decoy Anthropic traffic built to mislead AI-based reviewers.

What happened

Each poisoned release includes a *-setup.pth file that lands in site-packages. Python's site module processes .pth files at interpreter startup, so the payload executes on every Python invocation after installation - the victim never has to import the package for the code to run. That breaks the common assumption that an untrusted dependency is only dangerous when imported, turning a one-time install into persistent code execution on every python, pytest, build, or CI job.

The .pth hook downloads the Bun runtime from GitHub and runs an obfuscated JavaScript stealer (_index.js). It targets GitHub and GitHub Actions runner secrets; npm, PyPI, RubyGems, JFrog, CircleCI, and Anthropic tokens; AWS, GCP, and Azure credentials; Kubernetes and Vault secrets; and developer-machine artifacts including .env, .npmrc, .pypirc, SSH keys, Docker configs, and Claude/MCP configs. The Hades wave adds cross-platform memory scrapers for Linux, macOS, and Windows, so credentials held only in process memory are also exposed.

Hades carries two AI-aware evasions. It embeds prompt-injection text designed to trick LLM-based security analyzers into rating it benign, and sends decoy traffic to Anthropic servers to confuse network analysis - making egress resemble ordinary AI API usage. Both target the reviewer, not the runtime. Defender guidance is direct: pin PyPI dependencies, audit for unexpected .pth files in site-packages, and rotate any exposed tokens. With no CVE to patch, the durable response is to know which endpoints carry the scraped artifacts and govern what the stealer process can do.

Why this is an agentic-endpoint risk

Hades reads straight off the AI artifact layer. Its target list names Anthropic tokens and Claude/MCP config files alongside cloud and registry credentials - the exact artifacts an agentic developer endpoint accumulates. The eight AI artifact types Anomity inventories - AI agents, MCP servers, extensions, skills, plugins, secrets, hooks, and CLIs - overlap almost one-for-one with what this stealer scrapes, which is why it belongs in the AI supply-chain attacks cluster and not only on a generic malware list.

This exposure is hard to see from the controls you already run. Network tooling sees egress Hades deliberately disguises as Anthropic traffic; EDR sees a legitimate Bun runtime pulled from GitHub; DLP sees nothing at rest because credentials move through a live process and memory scrapers; and a GRC checklist has no CVE to track. Worse, an LLM-based triage step can be steered by the embedded prompt injection into rating the package safe. The question is which endpoints hold the files Hades reads, and what the stealer process is allowed to do when it runs - the same root cause as the sibling Shai-Hulud 2 npm worm credential stealer advisory. Adoption is bottom-up and invisible, the same way AI agents became the new shadow IT, which is why fleet visibility over the artifact layer is the starting point.

How Anomity surfaces and governs it

With no version to roll forward, the durable control is to inventory the endpoints that hold what Hades scrapes and govern what the stealer can do, in three steps.

First, inventory. Anomity inventories secrets, CLIs, and Claude/MCP configs on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them - surfacing where machines hold the exact files Hades targets so you can scope which endpoints are most exposed. Collection is metadata only, and secret values are redacted on the endpoint before anything leaves it, so the inventory never recreates the trove the attacker is after.

Second, decide at the hook. On agents that expose a hook - for example, the Claude Code PreToolUse event - Anomity evaluates each tool call and returns allow, deny, or log before it runs. A Bun-launched stealer reaching for a token or reading a credential file can be logged or denied at the boundary, and because the decision is made on the process and its action, the prompt-injection text cannot change the outcome - which is exactly what runtime governance provides when the package is engineered to fool a reviewer.

Third, keep the record. Anomity logs the tool calls and secret access on the endpoint, so a stealer touching an Anthropic token or an SSH key is recorded against a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira - past the decoy egress Hades uses to muddy network analysis. Anomity is SOC 2 Type II and complements your Network, EDR, DLP, and GRC tooling. See how it sits alongside them on compare.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Pin PyPI dependencies to known-good versions and hashes, and review any package installed or updated on or after June 7, 2026 across the 19 affected bioinformatics, graph-ML, deep-learning, and developer-tooling packages.
• Audit site-packages on every developer and CI endpoint for unexpected *-setup.pth files, and remove any that download a runtime or execute code at interpreter startup.
• Treat any token an affected machine could reach as exposed and rotate it - GitHub and Actions runner secrets; npm, PyPI, RubyGems, JFrog, CircleCI, and Anthropic tokens; AWS, GCP, and Azure credentials; and Kubernetes and Vault secrets.
• Inventory where endpoints hold the files Hades scrapes - .env, .npmrc, .pypirc, SSH keys, Docker configs, and Claude/MCP configs.
• Confirm a Bun-launched or other unexpected process reading a credential file is evaluated at a hook with allow/deny/log, so the stealer is stopped or recorded before it exfiltrates - independent of the prompt-injection wording.
• Verify secret values are redacted on the endpoint and never centralized in plaintext, so a memory scraper or file read has less to capture.
• Verify every tool call and secret access is written to a 90-day audit trail and routed to your SIEM, so decoy Anthropic traffic does not become your only signal.
• Cross-reference this inventory against the sibling Shai-Hulud 2 npm worm credential stealer advisory to find endpoints on more than one supply-chain credential-theft path.

The Hades wave is a reminder that a PyPI install is code execution the moment a .pth startup hook is in play, and that AI-aware evasions can turn a reviewer's own LLM against them. Pin dependencies, hunt for unexpected .pth files, and rotate exposed tokens - then inventory the secrets, CLIs, and Claude/MCP configs your endpoints hold and govern what reaches them at the hook, where prompt-injection text changes nothing. For the full picture, see the pillar guide on AI supply-chain attacks. To see Anomity govern the agent layer, request early access.