Shai-Hulud Descends to Hades: Miasma Worm Campaign Spreads with New PyPI Wave

MITRE Techniques

• [T1195 ] Supply Chain Compromise – The attacker compromised trusted PyPI packages to deliver malicious wheels to users (‘coordinated PyPI compromise involving 37 malicious wheel artifacts across 19 packages’).
• [T1059.007 ] JavaScript – The payload runs as obfuscated JavaScript under Bun (‘run an obfuscated JavaScript payload named _index.js’).
• [T1059.006 ] Python – A malicious .pth startup hook executes automatically when Python starts (‘Python’s site module processes .pth files during interpreter startup’).
• [T1105 ] Ingress Tool Transfer – The loader downloads the Bun runtime from GitHub before executing the payload (‘download Bun v1.3.13 from GitHub’).
• [T1204 ] User Execution – Execution is triggered when Python starts and processes the installed package files (‘the next python, pip, test run, notebook kernel, CI job… may process the malicious .pth’).
• [T1027 ] Obfuscated Files or Information – The JavaScript payload is heavily obfuscated using eval wrappers, ROT-style decoding, and encrypted stages (‘character-code and ROT-style eval wrapper, AES-GCM encrypted stages’).
• [T1102 ] Web Service – The campaign uses GitHub and an Anthropic API host as remote infrastructure for exfiltration/camouflage (‘GitHub-centric exfiltration’ and ‘traffic to a ubiquitous AI-vendor host’).
• [T1588.001 ] Obtain Capabilities: Credentials from Password Stores – The payload targets local secrets and stored credentials (‘SSH keys, Docker configs, shell histories, .env files, .npmrc, .pypirc’).
• [T1555 ] Credentials from Password Stores – It hunts for developer and cloud credentials from local files and tools (‘GitHub, npm, PyPI, RubyGems, JFrog, CircleCI… credentials’).