{
  "name": "Miasma Worm Campaign Spreads with New PyPI Wave",
  "slug": "miasma-worm-campaign-spreads-with-new-pypi-wave",
  "description": "A coordinated PyPI compromise campaign involving 37 malicious wheel artifacts across 19 packages was detected, utilizing Python startup hooks to execute credential-stealing payloads. The attack leverages .pth files for automatic execution during Python interpreter startup, downloads the Bun JavaScript runtime, and runs obfuscated JavaScript payloads. The malware targets high-value developer and CI/CD credentials including GitHub, npm, PyPI, cloud providers (AWS, GCP, Azure), Kubernetes, Vault, SSH keys, and AI tool tokens. This represents a PyPI branch of the Shai-Hulud/Miasma campaign family, using a Hades-themed variant for GitHub exfiltration. Compromised packages included established bioinformatics tools with significant download counts, stemming from apparent maintainer account takeover. The payload employs multi-layer obfuscation, AES-GCM encryption, and exfiltrates data through GitHub repositories with distinctive markers. The campaign demonstrates cross-runtime attack capabilities and ecosystem-spe...",
  "published": "2026-06-07T09:21:59+00:00",
  "created_at": "2026-06-07T09:21:59+00:00",
  "modified_at": "2026-06-08T07:23:26+00:00",
  "created_at_opencti": "2026-06-07T09:21:59+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-07",
    "bioinformatics",
    "bun runtime",
    "credential-theft",
    "github exfiltration",
    "hades",
    "miasma",
    "mini shai hulud",
    "pypi",
    "startup hooks",
    "supply chain attack"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "c539766062555d47716f8432e73adbe3a0c0c954a0b6c4005017a668975e275c"
      },
      {
        "id": "",
        "name": "e1342a80d4b5e83d2c7c22e1e0aaa95f2d88e3dbf0d853a4994b180c93a4b17d"
      },
      {
        "id": "",
        "name": "dc48b09b2a5954f7ff79ab8a2fd80202bd3b59c08c7cdbc6025aa923cb4c0efe"
      }
    ],
    "malware": [
      {
        "id": "7f348e4a-a1c1-4851-be94-d8dbf0f08496",
        "name": "Mini Shai-Hulud",
        "slug": "mini-shai-hulud"
      },
      {
        "id": "c97eecb2-46dd-4e3b-8b82-906269d7cb83",
        "name": "Hades",
        "slug": "hades"
      },
      {
        "id": "2f504a89-03b5-446f-9820-2df5e962a0d1",
        "name": "Miasma",
        "slug": "miasma"
      }
    ],
    "intrusion_sets": [
      {
        "id": "056dcb25-a747-447d-84fc-894e5dc191dd",
        "name": "Shai-Hulud",
        "slug": "shai-hulud"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Technology"
      },
      {
        "id": "",
        "name": "Healthcare"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/6a255457476fc6d2bbe99c64",
    "https://socket.dev/blog/shai-hulud-descends-to-hades-miasma-pypi-wave"
  ]
}