Shai-Hulud/Hades PyPI Supply-Chain Worm Targets AI/ML Packages with LLM Scanner Evasion and Credential-Wiper Daemon

The Hades wave of the Shai-Hulud/Miasma supply-chain campaign (attributed to UNC6780/TeamPCP) poisoned 26+ PyPI packages on June 8, 2026, specifically targeting AI/ML and bioinformatics tooling. The campaign introduced LLM scanner evasion (prompt injection in the payload targeting AI-based triage tools) and a credential-wiper deterrent (a daemon that threatens destructive action if stolen credentials are rotated). The worm targets AI-specific credentials including MCP server configs, Anthropic/OpenAI API keys, and AI coding agent tokens. A langchain-core-mcp typosquat was among the malicious packages, directly targeting LangChain users. The Zscaler ThreatLabz analysis (verified full text) documents the campaign's evolution from V1 (Sept 2025) through the June 2026 IDE and PyPI waves, with the source code publicly released under MIT on May 12, 2026 — turning it into reusable attack infrastructure.

This campaign is the most sophisticated AI-ecosystem supply chain attack observed to date. It directly targets AI developers and their tooling, exfiltrating the AI API keys and model provider credentials that gate access to frontier models. The LLM scanner evasion technique — embedding prompt injection in malicious payloads to fool AI-based security analyzers — is a novel and concerning escalation that undermines AI-assisted security tooling. The wiper daemon inverts the incident response playbook. The public MIT release of the worm source code means any threat actor can now run this campaign.

Compromised packages ship a *-setup.pth file that executes on every Python interpreter startup (before any import). The hook downloads the Bun JavaScript runtime from GitHub and executes an obfuscated _index.js payload that reads process memory (via /proc/{pid}/mem on Linux, Mach APIs on macOS, ReadProcessMemory on Windows) to harvest credentials across 14 AI/cloud/DevOps systems. Stolen data is AES-256-GCM + RSA-2048 encrypted and exfiltrated to attacker-controlled GitHub repos. A 'gh-token-monitor' persistence daemon threatens destructive action if stolen tokens are rotated. Payload embeds prompt injection text to evade LLM-based security scanners.

26+ PyPI packages across bioinformatics, graph-ML, and deep-learning tooling (including langchain-core-mcp typosquat); Python environments on any OS; CI/CD pipelines

Audit Python environments for *-setup.pth files from unknown sources. Check installed packages against IOC lists (embiggen, ensmallen, gpsea, langchain-core-mcp, rsquests, tlask, rlask, and others). Isolate affected systems before rotating credentials to avoid triggering the wiper daemon. Pin packages to verified hashes. Monitor for stygian-cerberus-* and tartarean-charon-* GitHub repository names (C2 exfil repos).