Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A new Hades PyPI malware wave uses a Python startup hook to launch a Bun-powered JavaScript stealer, putting developer and CI/CD credentials at risk. The payload can harvest secrets, keys, and local configuration data from package-install environments. It extends a known supply-chain playbook with automatic execution before normal package use.

Related Happenings

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

Open Happening

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Open Happening

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Open Happening

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Open Happening

Shai-Hulud PyPI supply-chain malware activity

Malware Activity
H score22 First: 08.06.2026 23:41 Last: 08.06.2026 23:41 Sources 1

About this happening: The **Shai-Hulud** supply-chain malware compromised **19 PyPI packages**, turning routine installs into secret-stealing execution and putting **developer credentials** at risk. Th...

Open Happening

Timeline

  1. 09.06.2026 12:13 2 articles · 4d ago

    Hades PyPI packages auto-run a Bun-powered JavaScript stealer

    Initial Disclosure

    A Hades supply-chain wave poisoned 19 PyPI packages with 37 malicious wheel artifacts, using a *-setup.pth startup hook to execute during Python interpreter startup, download the Bun JavaScript runtime, and launch an obfuscated _index.js payload that steals developer and CI/CD secrets from package-install environments. The campaign also checks for a Russian locale, stages payloads through GitHub commit lookups, and adds a plain-text prompt injection intended to mislead LLM-based package analysis tools into classifying the package as safe.

    Show sources
    Open in new tab