Massive PyPI Supply Chain Attack Harvests Cloud Credentials via Python Startup Hooks
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A coordinated supply chain operation known as the Hades Campaign has compromised 26 PyPI packages to steal cloud credentials. The attack abuses Python .pth files to trigger malicious code during interpreter startup, using the Bun JavaScript runtime to execute the payload. It is designed to harvest secrets tied to AWS, GCP, Azure, Kubernetes, and GitHub across multiple operating systems.
Investigation
Orca Security identified 37 malicious wheel files spread across bioinformatics and developer tooling ecosystems. Their analysis exposed a cross-runtime technique in which the malware downloads Bun to run obfuscated JavaScript payloads. The campaign also generates decoy traffic to Anthropic AI services and uses prompt-injection techniques to reduce the effectiveness of LLM-based security review.
Mitigation
Organizations should immediately remove the affected packages or pin to safe versions and rotate all potentially exposed credentials. This includes cloud access tokens, GitHub personal access tokens, SSH keys, and Docker registry credentials. Security teams should also hunt for the known persistence artifacts on Linux, macOS, and Windows hosts.
Response
When compromise is suspected, isolate the affected system before rotating credentials to reduce the risk of extortion through the gh-token-monitor daemon. Rebuild any developer workstations and CI/CD runners that executed the poisoned packages. Review GitHub repositories for unauthorized commits and for newly created repositories that match attacker naming patterns.
"graph TB %% Class Definitions Section classDef technique fill:#99ccff %% Blue for MITRE ATT&CK Techniques classDef tool fill:#cccccc %% Grey for Tools and Software classDef action fill:#ff99cc %% Pink for specific Actions or behaviors classDef persistence fill:#ccffcc %% Green for Persistence mechanisms %% Node Definitions %% Initial Access and Execution Phase tech_supply_chain["<b>Technique</b> – <b>T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Tools</b><br/>Malicious wheel files distributed via PyPI."] class tech_supply_chain technique tech_user_exec["<b>Technique</b> – <b>T1204.005 User Execution: Malicious Library</b><br/>Triggered during Python interpreter initialization via *-setup.pth files."] class tech_user_exec technique tech_poison_pipeline["<b>Technique</b> – <b>T1677 Poisoned Pipeline Execution</b><br/>Code executes automatically in developer and CI environments."] class tech_poison_pipeline technique %% Payload and Execution Phase tool_bun["<b>Tool</b> – <b>Name</b>: Bun JavaScript Runtime<br/>Downloaded to execute obfuscated payload."] class tool_bun tool tech_ipc["<b>Technique</b> – <b>T1559.003 Inter-Process Communication: XPC Services</b><br/>Used to run the obfuscated _index.js payload."] class tech_ipc technique payload_js["<b>File</b> – <b>Name</b>: _index.js<br/>Obfuscated JavaScript payload."] class payload_js tool %% Persistence Phase tech_persistence["<b>Technique</b> – <b>Persistence</b><br/>Maintaining access on the compromised system."] class tech_persistence technique tech_launch_daemon["<b>Technique</b> – <b>T1543.004 Create or Modify System Process: Launch Daemon</b><br/>Uses systemd services on Linux and LaunchAgents on macOS."] class tech_launch_daemon technique svc_monitor["<b>Process/Service</b> – <b>Name</b>: gh-token-monitor.service<br/>Example persistence mechanism."] class svc_monitor persistence %% Credential Access and Exfiltration Phase tech_cred_access["<b>Technique</b> – <b>T1212 Exploitation for Credential Access</b><br/>Scraping process memory to harvest AWS, GCP, Azure, and GitHub tokens."] class tech_cred_access technique tech_archive["<b>Technique</b> – <b>T1560 Archive Collected Data</b><br/>Compressing stolen secrets using gzip."] class tech_archive technique tech_exfil["<b>Technique</b> – <b>T1567.001 Exfiltration Over Web Service: Exfiltration to Code Repository</b><br/>Sending encrypted data to attacker-controlled GitHub repositories."] class tech_exfil technique %% Connections %% Supply chain leads to user execution tech_supply_chain –>|leads_to| tech_user_exec %% User execution leads to poisoned pipeline tech_user_exec –>|triggers| tech_poison_pipeline %% Poisoned pipeline triggers the payload execution tech_poison_pipeline –>|executes| tool_bun %% Tooling uses IPC to run the JS payload tool_bun –>|utilizes| tech_ipc tech_ipc –>|runs| payload_js %% Payload leads to persistence payload_js –>|establishes| tech_persistence tech_persistence –>|implements| tech_launch_daemon tech_launch_daemon –>|creates| svc_monitor %% Persistence enables credential access svc_monitor –>|enables| tech_cred_access %% Credential access leads to archiving tech_cred_access –>|results_in| tech_archive %% Archiving leads to final exfiltration tech_archive –>|prepares_data_for| tech_exfil "
Attack Flow
Detections
Suspicious Plist File Creation In LaunchAgents Or LaunchDaemons (via file_event)
View
Suspicious NodeJS Child Processes [Linux] (via cmdline)
View
Service File Creation In Systemd Folder (via file_event)
View
Possible Site-Specific Configuration Hook File Was Created (via file_event)
View
Linux Script Was Created In Temporary Folders (via file_event)
View
Malicious Python packages IOCs (via cmdline)
View
Detection of GCP Authentication Token Scraping by Hades Campaign [Google Cloud Platform]
View
Hades Campaign – Azure Authentication Tokens Exfiltration [Azure Activity Logs]
View
Harvesting AWS Cloud Credentials via PyPI Supply Chain Attack [AWS Cloudtrail]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully compromised a developer’s workstation via a malicious PyPI package (Hades Campaign). A Python startup hook has executed, successfully scraping an Azure authentication token from the local memory/cache. To simulate the detection of this activity in the Azure Audit Logs, we will simulate the generation of an Audit Log entry that contains the specific string “Azure authentication tokens” in the description field, mimicking the event telemetry an automated system might report when it detects such exfiltration.
-
Regression Test Script: Since we cannot easily force the actual Azure backend to generate a specific malicious description string without a real breach, we simulate the presence of the log in the telemetry stream (often done in BAS by injecting a synthetic log into the workspace).
# Synthetic Log Injection to simulate the detection of token exfiltration # This simulates the 'Description' field being populated with the target string. $LogEntry = @{ TimeGenerated = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ") OperationName = "TokenExfiltrationDetected" Result = "Success" Description = "Malware activity detected: Azure authentication tokens were exfiltrated from a local process." Identity = "malicious-python-hook@attacker.com" } Write-Host "Injecting synthetic telemetry to validate detection rule..." # In a real BAS, this would call the Log Analytics Data Collector API # For simulation purposes, we represent the resulting log entry: $LogEntry | ConvertTo-Json -
Cleanup Commands:
# If synthetic logs were injected via API, delete the specific correlation ID # For this simulation, no persistent changes were made to the Azure Tenant. Write-Host "Cleanup complete. No persistent adversary artifacts remain."