Socket Security researchers documenting the Hades wave of the Mini Shai-Hulud/Miasma supply chain campaign found that malicious PyPI wheels targeting bioinformatics and Model Context Protocol (MCP) developers embed a fake prompt-injection header inside the obfuscated JavaScript stealer file. The header fills a JavaScript block comment with fabricated CBRN-themed text - references to nuclear and biological weapon designs - intended to trigger safety refusals in LLM-based package analysis tools, causing the scanner to halt before it reaches the actual credential-stealing payload. Citizen Lab researcher John Scott-Railton and security commentator Bruce Schneier both cited this as a concrete demonstration that aggressive LLM safety refusals create second-order attack surfaces. Traditional static analysis - YARA, grep, entropy checks, AST parsing, and behavioral sandboxing - remains effective against the underlying payload, which steals GitHub, GCP, Azure, and CI/CD secrets.
Background: Hades and the Shai-Hulud/Miasma campaign
Socket Security researchers identified the Hades wave as a PyPI branch of the ongoing Mini Shai-Hulud/Miasma supply chain campaign, which has now compromised more than 100 npm and PyPI packages. The Hades cluster specifically targeted bioinformatics utilities and packages used by Model Context Protocol (MCP) developers. Affected PyPI packages include bioinformatics tools such as embiggen, ensmallen, gpsea, pyphetools, and ppkt2synergy, as well as developer tooling packages including magique, executor-engine, and pantheon-agents, according to Socket.
The AI evasion technique
Per Socket's analysis, the malicious _index.js stealer file begins with a large non-executing JavaScript block comment packed with fabricated text referencing CBRN (chemical, biological, radiological, and nuclear) weapon designs. The comment does not affect runtime execution - the actual payload follows in an obfuscated character-code array with a substitution function - but it is positioned at the start of the file where LLM-based package scanners read first. According to Socket, LLM scanners that ingest file content without clearly isolating it as untrusted data may hit their own safety-refusal rules before reaching the malicious code, producing a false-negative classification.
Broader implications
Citizen Lab researcher John Scott-Railton wrote on X that this is "the cleanest practical example I can think of for why over-indexing on first order safety alignment is risky," adding that "when closed (and open) models ship with aggressive refusals, they will be sprinkled with second-order blindspots that attackers will discover and exploit." Bruce Schneier independently highlighted the technique, noting it illustrates a failure mode specific to AI-mediated triage pipelines that do not treat file content as untrusted data.
What the payload steals
Per Socket, the Hades JavaScript stealer - staged through a downloaded Bun JavaScript runtime - targets GitHub, npm, PyPI, RubyGems, JFrog, CircleCI, AWS, GCP, Azure, and Kubernetes credentials, along with Docker configurations, SSH keys, shell history, .env files, Claude/MCP configurations, and CI/CD runner secrets.
Defenses that remain effective
Socket, StepSecurity, and Schneier all note that conventional static and dynamic analysis is not affected by the LLM-refusal trick. YARA rules, grep/strings extraction, entropy analysis, AST parsing, deobfuscation routines, and isolated behavioral sandboxing reach the actual payload regardless of comment content. Security teams using LLM-assisted triage should treat file content - including headers and comments - as untrusted data, not as trusted prompt input.
Scoring Rationale #
A confirmed, named supply chain campaign (Hades/Shai-Hulud/Miasma) has operationalized LLM safety-refusal exploitation as a practical evasion technique in malicious PyPI packages, making this directly relevant to ML/AI security practitioners and developer tooling teams. The story is not paradigm-changing - conventional static analysis remains effective and the underlying campaign was already covered - but the AI evasion angle is novel, documented, and now actively exploited, warranting a notable-tier score. Schneier's and Scott-Railton's commentary elevates its signal value for the AI/security practitioner audience.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.