A new wave of supply chain attacks targeting the Python Package Index (PyPI) has been identified as the "Hades" campaign — a sophisticated evolution of the Shai-Hulud attack methodology that has plagued open-source software repositories throughout 2026.
What Is the Hades Campaign?
Security researchers have uncovered a coordinated campaign that successfully compromised 37 PyPI wheels and 19 code packages, injecting malicious payloads designed to steal developer credentials and propagate further across software supply chains.
Named after the Greek god of the underworld, the Hades campaign represents a significant tactical evolution from earlier Shai-Hulud attacks. Where Shai-Hulud relied on hijacking maintainer accounts through compromised npm tokens, Hades introduces new obfuscation layers and persistence mechanisms specific to the Python ecosystem.
How the Attack Works
The attackers follow a recognizable playbook with notable new twists:
-
Initial Access — Threat actors compromise PyPI maintainer accounts via credential theft from previous supply chain breaches, particularly targeting developers whose credentials appeared in earlier npm or GitHub token leaks.
-
Package Poisoning — Once inside, malicious code is injected into legitimate package releases. The Hades campaign specifically targets the wheel (
.whl) distribution format, which is often less scrutinized than source distributions. -
Credential Exfiltration — Installed packages silently harvest developer credentials, API keys, and environment variables from victim machines, exfiltrating data to attacker-controlled infrastructure.
-
Self-Propagation — Stolen credentials are immediately weaponized to authenticate to other package registries, perpetuating the attack cycle in a manner reminiscent of the original Shai-Hulud worm behavior.
Scale and Impact
The campaign's targeting of wheel distributions is particularly concerning. Python wheels are pre-compiled packages that install faster and with less friction than source packages — making them attractive targets precisely because developers and CI/CD systems may skip validation steps.
With 37 wheels affected across 19 distinct packages, the blast radius extends to any developer or production system that installed affected package versions during the exposure window. Organizations using automated dependency updates or unversioned installs in CI pipelines face the highest risk.
Connection to Shai-Hulud
The Shai-Hulud methodology emerged in early 2026 as a novel approach to supply chain attacks: using stolen credentials from one compromised package to authenticate as maintainers of additional packages, creating a self-amplifying infection wave.
The Hades campaign adapts this core mechanism for the Python ecosystem, exploiting PyPI's trust model and the broad developer footprint of the packages targeted. Security researchers note that Hades shows clear signs of learning from defensive measures deployed against Shai-Hulud, including:
- Delayed payload activation to evade sandbox analysis
- Mimicking legitimate package update behaviors
- Using encrypted channels for C2 communication
Detection and Response
Organizations should audit their Python dependencies for recently published package versions from affected maintainer accounts. Key indicators of compromise include:
- Unexpected outbound network connections from CI/CD systems after pip installs
- Environment variable reads from non-standard package code
- Base64-encoded strings or obfuscated import statements in recently updated packages
PyPI's security team has been notified and is working to remove affected package versions. Developers are urged to pin dependency versions, enable package integrity verification, and review audit logs for recent installs of the affected packages.
Broader Supply Chain Context
The Hades campaign underscores a persistent and evolving threat to open-source software ecosystems. Following the GitHub breach tied to the Tanstack supply chain attack, and multiple npm worm campaigns including Shai-Hulud's various iterations, attackers have demonstrated sustained interest in compromising developer tooling as a force-multiplier for downstream attacks.
Security teams should treat supply chain security as a continuous posture, not a one-time audit, particularly given the pace at which new attack variants are emerging in 2026.