Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

37 malicious Python packages across 19 PyPI repositories are delivering a worm that executes JavaScript payloads via the Bun runtime during installation. Any developer or CI/CD pipeline that pulled these packages in the last wave has likely had secrets and credentials exfiltrated. This is part of the active Shai-Hulud/Miasma campaign.

CRITICALAdvisoryJun 08, 2026

Action required

Immediately audit PyPI package installation logs for the last 30 days. Identify any pulls from the 19 affected packages. Assume compromise of any developer machines or CI/CD runners that installed them. Force rotation of all secrets, API keys, and credentials accessible from those environments.

Affected products

BunPyPInpm

Linked articles

Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

Source links

https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave?utm_medium=feed