THREAT OPS › Threat News › Shai-Hulud Campaign Evolution: Miasma, Hades, and AI Scanner Evasion
Shai-Hulud Campaign Evolution: Miasma, Hades, and AI Scanner Evasion
IntroductionSince Zscaler ThreatLabz published its analysis of Shai-Hulud V2 in November 2025, the campaign has continued to evolve in ways that distinguish it from more typical software supply chain attacks. Over the last six months, the activity expanded beyond npm into the Python Package Index (PyPI), shifted from maintainer-focused compromise to CI/CD abuse, undermined trust in Suppl
MITRE ATT&CK techniques
- Adversary-in-the-MiddleT1557
- JavaScriptT1059.007
- Malicious FileT1204.002
- CredentialsT1589.001
- Malicious PackageAML.T0011.001
- System PromptAML.T0069.002
Indicators of compromise
- api.anthropic.comdomain