'Hades' Attacks on PyPI Put New Spin on Shai-Hulud

The latest attacks, which hit 37 PyPI wheels and 19 code packages, show a continued evolution of the persistent software supply chain threat.

June 8, 2026

Threat actors have struck the software supply chain yet again, this time hitting the Python Package Index (PyPI) with Mini Shai-Hulud in an attempt to spread poisoned code. In the latest campaign, attackers embraced a "Hades" naming convention as they continue to plague the open source developer ecosystem.

New research from Socket detailed a fresh wave of attacks featuring a variant of the Shai-Hulud worm, which has targeted npm and PyPI code packages since last September. The latest campaign compromised 37 malicious PyPI wheels across 19 packages, according to a blog post by the Socket Research Team published Sunday.

"At the time of writing, PyPI had already quarantined a number of the affected releases; we reported the remaining ones to the PyPI security team," the blog post.