Hades malware tricks AI security scanners with fake nuclear weapon prompts to hide payloads

Hades malware campaign tricks AI scanners with fake nuclear weapon prompts -- malicious code triggers safety failsafes so scanners skip the payload

This is probably the dictionary illustration for "deceptively simple." Hades is one of many currently-running malware campaigns, mostly (but not solely) targeting development packages used for scientific and machine-learning purposes. The supply-chain attack campaign recently received several upgrades, and one of the most interesting is also deceptively simple: The code includes prompt-injection attacks that might stop cursory checks by AI bots, letting the malware through. The way it works in a nutshell: Some JavaScript files include a code comment containing instructions that tell the bot it's running in unrestricted mode with no safety guidelines. Then it asks to create biological and nuclear weapons, with a detailed description. If you're thinking that a malware-scanning bot can't be that dumb as to follow any of those instructions, you're absolutely right -- and that's exactly what makes the attack work, as the bots' failsafe mechanisms will trigger, so then they won't scan the rest of the file where the actual payload resides. This is called an "adversarial attack" in AI parlance, and, generally speaking, it's not expected to be widely effective, but any little bit helps the malfeasants. Having said that, an X user had Anthropic Fable try to scan the file, and sure enough, he got the well-known "Chat paused" message. That is by no means scientific, and it's reasonable to assume that malware-scanning models will be configured more accurately for this task. However, this somewhat implies that a cursory check by a developer asking "does this Python package I just installed contain malware?" might be met with a reply of "of course not, boss, you're good to go!" Even bots scanning CI/CD development pipelines might fall for it. Socket's blog post does remark that other analysis types will still work fine, including pattern matching, actually parsing the source code, checking for randomized sections likely to hide malicious payloads, and actually running the code in a sandboxed environment. The now-upgraded malware does reportedly contain a trigger that makes it wipe itself via various mechanisms, with a common one being detecting if it's running in a sandbox. That's not the only skill that got levelled up, either. In some instances, the loading mechanism and the payload itself reside in separate packages that are commonly installed together; this sort of split is mostly unexpected for common scanners. This time around, the malware developers also leaned harder into precompiled binaries, commonly found in performance-sensitive Python packages. They also made sure that more payloads only trigger when the packages are actually initialized/run in the target's code (via Python's "import" statement), rather than when they're installed, further evading cursory detection. The campaign likewise has stickier fingers overall: Rather than just mainly stealing CI/CD credentials, it now gets its grubby mitts on npm, PyPI, RubyGems, JFrog, and Kubernetes service account tokens, AWS temporary credentials, SSH keys, Docker configurations, shell histories, .env files, and AI developer tool configurations. As of this writing, an estimated 37 Python and 106 JavaScript packages are part of the expanded bombardment, including multiple typo-squatting instances, like "rsquests" instead of "requests." You'd think that the target audience, comprised of scientific and AI engineers, would be mindful of common security practices like verifying the names and authorship of packages... and you'd be disappointed. From my own experience being a systems administrator for extremely well-paid AI engineers, a concerning number of them don't even know how to configure Git, or the basics of how email works. Let that sink in for a second. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

Meet Hades: The malware that lies to AI security agents

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based code analysis systems into overlooking malicious payloads. Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself. The newly-discovered Hades Campaign is a "highly sophisticated" supply chain compromise that targets Python developer environments and runs as soon as infected packages are imported. It uses the popular Bun toolkit to silently execute multi-layer payloads that can extract sensitive data, move laterally across compromised systems, exploit common security frameworks, and even hijack AI gatekeeper analyzer systems via adversarial prompt injection.

Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer

The Miasma supply chain campaign has sparked a fresh attack wave called Hades, this time involving 37 malicious wheel artifacts across 19 packages in the Python Package Index (PyPI) registry, as the Mini Shai-Hulud-style attacks continue to be refined and splintered to target specific ecosystems. "The compromised releases shipped a *-setup.pth file that attempts to execute automatically during Python startup, download the Bun JavaScript runtime, and run an obfuscated JavaScript payload named _index.js," Socket said in a new analysis. The list of identified packages is below - * bramin 0.0.2, 0.0.3, 0.0.4 * cmd2func 0.2.2, 0.2.3 * coolbox 0.4.1, 0.4.2 * dynamo-release 1.5.4 * executor-engine 0.3.4, 0.3.5 * executor-http 0.1.3, 0.1.4 * funcdesc 0.2.2, 0.2.3 * magique 0.6.8, 0.6.9 * magique-ai 0.4.4, 0.4.5 * mrbios 0.1.1, 0.1.2 * napari-ufish 0.0.2, 0.0.3 * nucbox 0.1.2, 0.1.3 * okite 0.0.7, 0.0.8 * pantheon-agents 0.6.1, 0.6.2 * pantheon-toolsets 0.5.5, 0.5.6 * spateo-release 1.1.2 * synago 0.1.1, 0.1.2 * ufish 0.1.2, 0.1.3 * uprobe 0.1.3, 0.1.4 Like in the previous Shai-Hulud and Miasma campaigns, the malicious payload downloads and installs the Bun JavaScript runtime, which is then used to launch a heavily obfuscated JavaScript stealer that can harvest a wide range of data from developer systems. This includes secrets associated with GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, Anthropic, AWS, GCP, Azure, and Kubernetes, along with Docker configurations, Vault tokens, SSH keys, shell histories, .env files, .npmrc files, .pypirc files, Claude/MCP configurations, and other local or runner-accessible credentials. What's changed this time around is the campaign marker. While previous iterations exported the harvested data to a public GitHub repository with the description "Miasma: The Spreading Blight," "Miasma: The Spreading Blight," and "Miasma - The Spreading Blight," the latest wave includes the repository descriptions - * Hades - The End for the Damned * Hades * The End for the Damned "That makes Hades best understood as a PyPI branch of the same Mini Shai-Hulud / Miasma lineage, not a standalone Python malware incident," the application security company said. "The core playbook remains the same: abuse trusted package channels, execute before normal package use, stage a Bun-powered JavaScript payload, steal developer and CI/CD credentials, and use GitHub-centric exfiltration and propagation logic." What has changed this time around is the use of a *-setup.pth file that's processed by Python's "site" module during interpreter startup, resulting in the execution of the malicious payload after installation without requiring the victim to import the poisoned package. The payload, in turn, downloads and runs Bun from GitHub and runs the stealer, but not before checking if the system corresponds to the Russian locale. "This is the Python equivalent of the npm install-hook problem that Shai-Hulud and Miasma repeatedly exploit," Socket explained. "The syntax is different, but the security consequence is the same: dependency installation creates an execution edge before application code is reviewed or invoked." Hades Cluster Attempts to Mislead AI Security Scanners Also compromised as part of the Hades campaign are a number of packages related to the computational biology, bioinformatics, and genotype-phenotype analysis ecosystem - * embiggen 0.11.97 * ensmallen 0.8.101 * gpsea 0.9.14 * mflux-streamlit 0.0.3, 0.0.4 * nhmpy 2.4.7 * ppkt2synergy 0.1.1 * pyphetools 0.9.120 Interestingly, this cluster employs a different approach in that the entry point is embedded inside the package's "__init__.py" file as an obfuscated single-line import hook. However, the outcome is the same: Downloading and running the Bun runtime, followed by the execution of the JavaScript payload. "The use of the Bun runtime remains a consistent theme," StepSecurity said. "Downloading Bun as a standalone ZIP file allows the malware to run complex JavaScript tasks in environments that lack a Node.js installation, bypassing traditional package manager controls and network proxy logs." In what has been characterized as a novel artificial intelligence (AI) defense evasion technique, the malware also incorporates a plain-text prompt injection that attempts to deceive Large Language Model (LLM)-based package analysis tools to instruct the model to classify the package as safe. On top of that, the malware queries GitHub commits for the keyword "TheBeautifulSnadsOfTime" to extract a Base64-encoded string containing a JavaScript payload. It also polls GitHub for commits matching the keyword "firedalazer" so as to fetch a Python-based dropper and execute it. Some of the important features built into the Hades malware are listed below - * Replicate and spread laterally across developer networks via SSH or SCP, push trojanized versions of PyPI packages from compromised systems by exploiting the developers' OpenID Connect (OIDC) trust configurations. * Target GitHub repositories to extract organization secrets using GitHub Actions runners if the harvested GitHub token has appropriate write permissions. * Backdoor local workspace folders to trigger code execution when analyzed by AI assistants or opened in IDEs. Targets include Anthropic Claude, OpenAI Codex, Google Gemini, Microsoft Copilot, Cline, Aider, Tabby, Amazon Q, Cody, Bolt, and Continue. * Install a background service named "gh-token-monitor" that acts as a wiper by removing all data ("rm -rf ~/; rm -rf ~/Documents") if the stolen GitHub token is revoked by the developer. "A key capability of the Miasma actor is reading the process memory of the GitHub Actions runner (the Runner.Worker process) to extract secrets," security researcher Rohan Prabhu said. "In earlier campaigns, this was limited to Linux systems using /proc/{pid}/mem. The Hades Campaign introduces tailored macOS and Windows memory scrapers." The development comes as StepSecurity revealed that an unknown attacker compromised the GitHub account ("LeonOstrez") linked to "Pythagora-io/gpt-pilot," a popular open-source AI developer tool, and force-pushed a variant of the Shai-Hulud credential-stealing worm to the main branch. The malware is designed to activate silently when an unsuspecting developer runs the project, while avoiding systems with a Russian locale. "The malware, a variant of the Shai-Hulud worm, was stopped by an unlikely defender: ruff, a Python code formatter," Ashish Kurmi, co-founder and CTO of StepSecurity, said. "The attacker tried twice to get the malicious code past CI and failed both times because their injected Python file did not match the project's formatting and linting rules." Software supply chain security company Snyk has described these attacks as part of the Shai-Hulud / Miasma lineage, with each wave leveraging a Bun-runtime obfuscated stealer and combining it with "new persistence, new exfiltration routes, and new ways to fire code automatically at install or build time." "The Miasma campaign proves that having signed keys and authenticated maintainer accounts are no longer an absolute guarantee of safety," Cloudsmith said. "When upstream registries and repos are compromised, public code becomes one of the easiest, and most direct, ways of getting pwned."