PyPI supply chain attacks and cloud credential theft: what teams need to know

TL;DR: A coordinated PyPI supply chain attack has compromised 26 packages and 37 malicious wheel files, used Python startup hooks to run cross-runtime malware, and harvested cloud tokens, Kubernetes secrets, GitHub credentials, and AI assistant data across 14 systems, according to Orca Security. The lesson is that package trust, startup execution, and secret exposure must be governed as one identity problem, not separate controls.

NHIMG editorial — based on content published by Orca Security: Hades campaign supply chain attack on PyPI packages

By the numbers:

• A coordinated supply chain attack targeting PyPI has compromised 26 packages (37 malicious wheel files) across bioinformatics, graph ML, deep-learning, and developer tooling ecosystems.
• The payload targets secrets across 14 systems, including AWS, GCP, Azure, Kubernetes, GitHub, PyPI, npm, RubyGems, SSH, Docker, .env files, shell histories, and AI assistant configurations.

Questions worth separating out

Q: What breaks when a compromised Python package can run code at interpreter startup?

A: Package trust breaks down because the code runs before a developer or pipeline explicitly imports anything.

Q: Why do stolen publishing credentials make supply chain attacks worse?

A: Publishing credentials turn a one-time compromise into a propagation event.

Q: How can security teams tell whether secret exposure has become a propagation risk?

A: Look for credential access that can reach package publishing systems, source control, CI, or cloud control planes from the same environment.

Practitioner guidance

• Remove or pin away from affected package versions immediately Identify installations of the compromised releases, block them at the repository or lockfile level, and rebuild affected developer workstations and CI runners where possible.
• Rotate all exposed credentials in dependency and build paths Prioritise GitHub tokens, package registry publishing credentials, cloud provider tokens, Kubernetes secrets, SSH keys, and Docker registry credentials.
• Hunt for persistence artifacts across endpoints and launch agents Search for the named service files, lock files, and repository naming patterns tied to this campaign, then validate whether unauthorized commits or workflow modifications occurred.

What's in the full article

Orca Security's full research covers the operational detail this post intentionally leaves for the source:

• Package-by-package breakdown of the affected PyPI releases and their malicious wheel files
• File and process indicators tied to the campaign, including persistence paths and lock artifacts
• Detection and response detail for teams that need to hunt exposed tokens across cloud, GitHub, and registry systems
• Runtime and asset-prioritisation guidance for environments that need to scope exposure beyond a static package list

👉 Read Orca Security's analysis of the Hades PyPI supply chain campaign →

PyPI supply chain attacks and cloud credential theft: what teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →