{ "title": "Hades Cluster PyPI Worm Abuses Python Startup Hooks", "summary": "Socket researchers disclosed a June 7, 2026 PyPI supply-chain campaign where attackers compromised 19 legitimate scientific research and deep-learning packages. The malware abuses Python startup hooks (*-setup.pth) to execute automatically, bootstrap Bun, and steal credentials.", "date": "2026-06-07", "severity": "critical", "tags": [ "pypi", "startup-hook", "supply-chain", "credential-theft", "hades-cluster" ], "sources_count": 3, "indicators": { "slug": "hades-cluster-pypi-startup-hook-compromise", "since": "2026-06-07T00:00:00Z", "until": "2026-06-07T23:59:59Z", "ecosystem": "pypi, python", "cves": [], "cwes": [], "advisoryIds": [], "products": [], "packages": [], "versions": [ "bramin==0.0.2", "bramin==0.0.3", "bramin==0.0.4", "cmd2func==0.2.2", "cmd2func==0.2.3", "coolbox==0.4.1", "coolbox==0.4.2", "dynamo-release==1.5.4", "executor-engine==0.3.4", "executor-engine==0.3.5", "executor-http==0.1.3", "executor-http==0.1.4", "funcdesc==0.2.2", "funcdesc==0.2.3", "magique==0.6.8", "magique==0.6.9", "magique-ai==0.4.4", "magique-ai==0.4.5", "mrbios==0.1.1", "mrbios==0.1.2", "napari-ufish==0.0.2", "napari-ufish==0.0.3", "nucbox==0.1.2", "nucbox==0.1.3", "okite==0.0.7", "okite==0.0.8", "pantheon-agents==0.6.1", "pantheon-agents==0.6.2", "pantheon-toolsets==0.5.5", "pantheon-toolsets==0.5.6", "spateo-release==1.1.2", "synago==0.1.1", "synago==0.1.2", "ufish==0.1.2", "ufish==0.1.3", "uprobe==0.1.3", "uprobe==0.1.4" ], "affectedVersions": [], "fixedVersions": [], "files": [ "hades-setup.pth", "_index.js" ], "paths": [], "services": [], "domains": [], "urls": [], "ips": [], "hashes": [], "processPatterns": [ "Python startup executions via *.pth configuration files" ], "networkPatterns": [], "telemetrySelectors": [ "Hades - The End for the Damned", "hades-setup.pth", "tartarean", "cerberus", "charon", "thanatos", "stygian" ] } }