Hades PyPI Attack: 19 Packages Steal Credentials

Emily Davis · 2026-06-09

### What Happened in the Hades PyPI Attack? You might have heard about the latest supply chain attack hitting the Python Package Index (PyPI). It's called Hades, and it's a follow-up to the earlier Miasma campaign. This time, attackers poisoned 19 packages with 37 malicious wheel artifacts. The goal? To steal credentials using a sneaky automatic execution method. Here's the kicker: the compromised releases included a *-setup.pth file. This file runs automatically when you install the package. No extra clicks, no warnings. Just instant infection. If you're a developer using PyPI regularly, this is a big deal. ### How Does the Attack Work? The attack relies on a technique called "Mini Shai-Hulud" style. It's a refined version of earlier attacks, targeting specific ecosystems like Python. The attackers upload malicious packages that look legitimate. Once installed, the .pth file executes and deploys a credential stealer. Think of it like a Trojan horse, but for code. You download what seems like a helpful library, and it quietly steals your login details. The stealer targets credentials stored in browsers, apps, and system files. It then sends them to a remote server controlled by the attackers. ### Who Is at Risk? Anyone using PyPI for Python development is at risk. This includes: - Individual developers working on personal projects - Teams in startups or large companies using Python libraries - DevOps engineers who automate package installations - Anyone who doesn't verify package integrity before installing The attack doesn't discriminate. If you install one of these 19 poisoned packages, your credentials could be compromised. ### How to Protect Yourself Staying safe requires a few simple steps. First, always verify the package you're installing. Check the publisher's history and read reviews. Second, use a virtual environment for each project to limit damage. Third, consider using an antidetect browser for sensitive tasks like logging into accounts or managing credentials. An antidetect browser creates a separate digital fingerprint for each session. This means even if your credentials are stolen, the attacker can't easily use them to access your accounts. It's like having a different identity for every login. ### What This Means for Developers The Hades attack shows that supply chain threats are evolving. Attackers are getting smarter, finding new ways to slip malicious code into trusted repositories. As a developer, you need to stay vigilant. Don't trust packages blindly. Use tools like checksums and package signing to verify authenticity. Also, keep your software updated. Security patches often fix vulnerabilities that attackers exploit. And if you're managing multiple accounts or sensitive data, an antidetect browser adds an extra layer of protection. ### Final Thoughts Supply chain attacks like Hades are a reminder that no ecosystem is completely safe. Python's PyPI is a powerful resource, but it's also a target. By staying informed and taking proactive steps, you can reduce your risk. Remember, the best defense is a combination of good habits and the right tools. Stay safe out there. And always double-check what you install.