Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions vulns/executor-engine/PYSEC-0000-executor-engine.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-executor-engine.yaml
modified: 2026-06-30T20:06:13Z
published: 2026-06-30T20:06:13Z
aliases:
- MAL-2026-5298
summary: Malicious code in executor-engine (PyPI)
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of executor-engine were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
name: executor-engine
ecosystem: PyPI
purl: pkg:pypi/executor-engine
versions:
- 0.3.4
- 0.3.5
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/executor-engine/0.3.5/packages/e8/c5/ddb0a3baebdfd3a3a3e3f73dd1f851e94ee263a07720433adc68dc442058/executor_engine-0.3.5-py3-none-any.whl//executor_engine-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages
29 changes: 29 additions & 0 deletions vulns/executor-http/PYSEC-0000-executor-http.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-executor-http.yaml
modified: 2026-06-30T20:12:29Z
published: 2026-06-30T20:12:29Z
aliases:
- MAL-2026-5281
summary: Malicious code in executor-http (PyPI)
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of executor-http were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
ecosystem: PyPI
name: executor-http
purl: pkg:pypi/executor-http
versions:
- 0.1.3
- 0.1.4
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/executor-http/0.1.4/packages/bf/21/0ed9e6a37bee872e733993b53467b1d2d47468fd2cfab157fc9fb01ecf2a/executor_http-0.1.4-py3-none-any.whl//executor_http-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages
29 changes: 29 additions & 0 deletions vulns/funcdesc/PYSEC-0000-funcdesc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-funcdesc.yaml
modified: 2026-06-30T20:24:41Z
published: 2026-06-30T20:24:41Z
summary: Malicious code in funcdesc (PyPI)
aliases:
- MAL-2026-5300
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of funcdesc were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
name: funcdesc
ecosystem: PyPI
purl: pkg:pypi/funcdesc
versions:
- 0.2.2
- 0.2.3
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/funcdesc/0.2.3/packages/ee/07/a3a5d522d90245b00ba11d6f40608c46ce63b4dad69e51f1a197323c4053/funcdesc-0.2.3-py3-none-any.whl//funcdesc-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-pack
29 changes: 29 additions & 0 deletions vulns/magique-ai/PYSEC-0000-magique-ai.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-magique-ai.yaml
modified: 2026-06-30T21:06:38Z
published: 2026-06-30T21:06:38Z
summary: Malicious code in magique-ai (PyPI)
aliases:
- MAL-2026-5294
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of magique-ai were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
name: magique-ai
ecosystem: PyPI
purl: pkg:pypi/magique-ai
versions:
- 0.4.4
- 0.4.5
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/magique-ai/0.4.5/packages/33/51/f36b85977bd09b12a88aff94531b608659312497c8856b73353603f11405/magique_ai-0.4.5-py3-none-any.whl//magique_ai-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-pack
29 changes: 29 additions & 0 deletions vulns/magique/PYSEC-0000-magique.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-magique.yaml
modified: 2026-06-30T20:41:59Z
published: 2026-06-30T20:41:59Z
summary: Malicious code in magique (PyPI)
aliases:
- MAL-2026-5296
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of magique were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
name: magique
ecosystem: PyPI
purl: pkg:pypi/magique
versions:
- 0.6.8
- 0.6.9
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/magique/0.6.9/packages/fb/cf/376a097f8893ac5c63e3d067b233bf16de9e3c980d8da0ac887a5619b297/magique-0.6.9-py3-none-any.whl//magique-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-pack
29 changes: 29 additions & 0 deletions vulns/mrbios/PYSEC-0000-mrbios.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: PYSEC-0000-mrbios.yaml
modified: 2026-06-30T21:23:05Z
published: 2026-06-30T21:23:05Z
summary: Malicious code in mrbios (PyPI)
aliases:
- MAL-2026-5282
details: |
Part of the "Hades" wave of the Shai-Hulud supply-chain campaign. On 2026-06-08,
malicious phantom releases of mrbios were published to PyPI using stolen
credentials. The package executes a bundled JavaScript payload (via the Bun
runtime) on import that harvests and exfiltrates credentials and attempts
self-propagation. This entry is a summary; behavior may not be fully
characterized here. See the linked references for detailed analysis and
indicators of compromise.
affected:
- package:
name: mrbios
ecosystem: PyPI
purl: pkg:pypi/mrbios
versions:
- 0.1.1
- 0.1.2
references:
- type: EVIDENCE
url: https://inspector.pypi.io/project/mrbios/0.1.2/packages/57/fb/c33c8829af52faa727d93f68688a53322e10e5f617c6b26f86f9c9ad35b9/mrbios-0.1.2-py3-none-any.whl//mrbios-setup.pth
- type: ARTICLE
url: https://www.endorlabs.com/learn/shai-hulud-hades-wave-hits-six-pypi-bioinformatics-packages
- type: ARTICLE
url: https://www.stepsecurity.io/blog/the-hades-campaign-pypi-pack
Loading