Shai-Hulud — Hades Branch Poisons 23 PyPI Packages Targeting MCP Developers

AI relevance: The Shai-Hulud supply chain campaign now includes MCP-themed PyPI typosquats and a payload that hides a fake system-instruction block inside JavaScript comments to poison LLM-assisted security triage — directly targeting the AI agent tool ecosystem.

• Three delivery branches. The Hades family now operates via (a) .pth startup hooks that download and execute the Bun runtime at Python startup, (b) compiled .abi3.so extensions with embedded _index.js that fire on dlopen(), bypassing source-only review, and (c) a langchain-core-mcp loader variant that scans sys.path for payloads elsewhere in the environment — a split-staging architecture that defeats co-location detection rules.
• 23 new malicious PyPI artifacts. The wave spans three thematic clusters: bioinformatics packages (trojanized legitimate research tools like ensmallen and phenopacket-store-toolkit), MCP/AI-themed packages (langchain-core-mcp, openai-mcp, instructor-mcp, tiktoken-mcp, ray-mcp-server), and typosquats (rsquests for requests, tlask for flask).
• LLM anti-analysis technique. The _index.js payload embeds a large fake system-instruction block inside a non-executing JavaScript comment at the top of the file. The comment is skipped at runtime by Bun but is designed to trigger safety refusals and context pollution in AI-assisted code review pipelines. The actual malicious code lives after the comment, wrapped in try{eval(...)} with a ROT-style character-code substitution cipher.
• Credential harvesting at scale. Once executed, the payload harvests GitHub, npm, PyPI, RubyGems, and JFrog tokens; AWS, Azure, and GCP credentials; Kubernetes service accounts; SSH keys, Docker configs, shell histories, and .env files — the full AI developer workstation attack surface.
• Campaign totals now at 471 artifacts. The broader Shai-Hulud operation (Mini Shai-Hulud, Miasma, Hades clusters) now spans 411 npm artifacts across 106 packages and 60 PyPI artifacts across 37 packages, per Socket Threat Research.

Why it matters

The MCP-themed package names (langchain-core-mcp, openai-mcp, tiktoken-mcp) show attackers are deliberately targeting developers building Model Context Protocol integrations — the same developers who will be wiring these packages into agents with access to APIs, databases, and cloud infrastructure. The split-staging sys.path loader and LLM-comment anti-analysis technique demonstrate rapid evolution beyond simple typosquatting.

What to do

• Block or remove all 23 identified malicious PyPI artifacts (see IOCs below).
• Audit requirements.txt, pyproject.toml, and lock files for any mcp-themed packages installed recently — verify against PyPI package registries.
• Rotate any tokens or credentials found on machines that may have installed these packages.
• Pin package versions and use dependency verification (hashes, provenance) rather than bare version ranges.
• Scan agent skills and MCP server dependencies with a tool like NVIDIA SkillSpector before installation.

IOCs — malicious PyPI artifacts

dreamgen 1.8.1 · embiggen 0.11.97 · ensmallen 0.8.101 · gpsea 0.9.14 · instructor-mcp 1.15.2–1.15.3 · langchain-core-mcp 1.4.2–1.4.3 · mem8 6.0.1 · mflux-streamlit 0.0.3–0.0.4 · openai-mcp 2.41.1–2.41.2 · orchestr8-platform 3.3.2 · phenopacket-store-toolkit 0.1.7 · ppkt2synergy 0.1.1 · pyphetools 0.9.120 · ray-mcp-server 0.2.1 · rlask 3.1.7 · rsquests 2.34.3 · tiktoken-mcp 0.13.1–0.13.2 · tlask 3.1.4

Sources

• Socket Threat Research — Mini Shai-Hulud, Miasma and Hades worms
• The Hacker News — Hades PyPI attack
• DEV — Miasma worm supply chain analysis