Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

Summary

A coordinated PyPI compromise has been detected, involving 37 malicious wheel artifacts across 19 packages. These packages deliver a setup file that automatically executes a JavaScript payload using the Bun runtime, targeting developer and CI/CD secrets. This campaign, identified as a branch of the Shai-Hulud/Miasma lineage, uses Hades-themed exfiltration markers.

Full text

Research/Security NewsMini Shai-Hulud Campaign Hits Red Hat Cloud Services npm PackagesA mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.By Socket Research Team - Jun 01, 2026

Indicators of Compromise

• malware — Miasma
• malware — Shai-Hulud
• malware — Hades
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-x64.zip
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-darwin-x64.zip
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-windows-x64.zip
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-linux-aarch64.zip
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-darwin-aarch64.zip
• url — https://github.com/oven-sh/bun/releases/download/bun-v1.3.13/bun-windows-aarch64.zip
• url — hxxps://api[.]anthropic[.]com/v1/api
• hash_sha256 — dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe
• hash_sha256 — e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d
• hash_sha256 — c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c
• domain — api.anthropic.com
• url — https://socket.dev/supply-chain-attacks/miasma-mini-shai-hulud-supply-chain-attack

Entities