PyPI

Browse all articles, tutorials, and guides about PyPI

2posts

Posts

⌘K

2026-06-07|10 min read

Shai-Hulud Reaches PyPI: The Hades Wave That Runs Before You Import It

The Shai-Hulud worm jumped to PyPI on June 7. The Hades wave hides in 19 Python packages, runs at interpreter startup through a .pth hook before you import anything, and steals your CI/CD secrets.

Security

2026-05-05|11 min read

Mini Shai-Hulud: PyTorch Lightning Just Stole Your CI Secrets

On April 30 a supply chain worm pushed malicious versions of PyTorch Lightning (10M+ downloads/month), intercom-client, and intercom-php to PyPI, npm, and Packagist in 48 hours. It steals every credential in your CI and propagates through your own GitHub tokens. Here is what to check and what to rotate.