{"slug": "meet-hades-the-malware-that-lies-to-ai-security-agents", "title": "Meet Hades: The malware that lies to AI security agents", "summary": "Security researchers at StepSecurity have discovered the Hades Campaign, a sophisticated supply chain malware targeting Python developer environments that uses the Bun toolkit to execute multi-layer payloads capable of data theft, lateral movement, and hijacking AI security systems via adversarial prompt injection. The campaign, attributed to the Miasma threat actor, compromised packages including the popular C++ library *ensmallen* and several computational biology tools, with the malware embedding obfuscated scripts in Python's `__init__.py` files to gain initial access. This marks a significant escalation in supply chain attacks by combining memory scraping, self-replicating worm logic, and LLM-targeted evasion techniques that can trick AI scanners into classifying malicious code as safe.", "body_md": "Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself.\n\nThe newly-discovered Hades Campaign is a “highly sophisticated” [supply chain compromise](https://www.infoworld.com/article/4181836/patching-fast-and-slow-ruby-devs-delay-to-defend-against-supply-chain-attack.html) that targets Python developer environments and runs as soon as infected packages are imported. It uses the popular Bun toolkit to silently execute multi-layer payloads that can extract sensitive data, move laterally across compromised systems, exploit common security frameworks, and even hijack AI gatekeeper analyzer systems via adversarial prompt injection.\n\nNotably, the campaign exploited the popular C++ library *ensmallen*, as well as packages in the computational biology, bioinformatics, and genotype-phenotype analysis ecosystems.\n\nThe most novel thing about this malware is its combination of advanced tactics, noted [David Shipley](https://www.linkedin.com/in/dbshipley/) of Beauceron Security. He noted that we’ve seen memory-focused malware, we’ve seen attacks that attempt to defuse large language model (LLM) powered analysis with hidden prompts, and we’ve seen malware with wiper capabilities.\n\n“But all three, in a fast moving mass propagating worm, is its own kind of nightmare,” he said. “And I suspect this is the way of the future.”\n\nThe [Hades Campaign](https://www.stepsecurity.io/blog/the-hades-campaign-pypi-packages) was discovered by researchers at StepSecurity, who called it the latest evolution of the Miasma threat actor. The researchers previously described Miasma attacks that had sent self-replicating worms to perform multi-cloud credential sweeps, caused infected repositories to execute code when folders were accessed in integrated development environments (IDEs) or by AI agents, and used techniques that scanned and read Linux process memory.\n\nHades uses the same credential harvesting methods, self-replicating worm logic, and GitHub-based exfiltration patterns, the researchers noted. In addition to *ensmallen*, compromised packages include *mflux-streamlit*, *nhmpy*, *ppkt2synergy*, *embiggen*, *gpsea*, and *pyphetools*.\n\nThe campaign’s entry point is a simple, obfuscated script embedded inside a Python package’s *__init__.py *file, a critical building block that gives Python the ability to recognize packages and import modules. Once they gain access, threat actors drop a precompiled Bun runtime binary and executes its JavaScript payload. Bun allows the malware to run complex JavaScript tasks in environments lacking a Node.js installation, bypassing traditional package manager controls and proxy logs.\n\nThe malware is able to scrape Linux memory mappings, and also introduces tailored macOS and Windows memory scrapers, which allow threat actors to extract sensitive, encrypted data.\n\nInterestingly, attackers are also able to evade detection by automated LLMs that scan for suspicious code. This is achieved with a simple block of text at the top of the file; this instructs the model to ignore the hidden code below, classify the package as verified and clean, and provide reports stating it is safe.\n\nThis element represents what the StepSecurity researchers described as a “significant conceptual shift,” with attackers writing payloads that target AI systems’ cognitive logic. “Scanners that pass raw text to LLMs without strict boundary isolation can be coerced into generating false negative verdicts, allowing the malicious package to bypass organization analysis,” they wrote.\n\nThe tactic is indeed clever, Beauceron’s Shipley agreed, pointing out that attackers will increasingly target endpoint LLM-powered agents.\n\nWhy? “Because there’s no reliable defense,” he said. “LLMs are incredibly susceptible to social engineering.” This has been relabeled as prompt engineering, but is essentially just phishing for bots, he pointed out.\n\n“While everyone’s worried about LLM-powered vulnerability discovery and automated exploitation, it’s [LLM-created smart malware](https://www.csoonline.com/article/4181514/ai-tools-becoming-hot-commodities-on-ransomware-marketplaces.html) like this, and AI-powered phishing of humans and bots, that keeps me awake at night,” Shipley said.\n\nThe Hades Campaign command and control (C2) infrastructure uses three independent channels on public GitHub infrastructure to allow its communications to blend in with normal traffic. [Stolen credentials](https://www.csoonline.com/article/4178412/6-critical-security-gaps-every-ciso-must-address.html) are encrypted locally in a hybrid fashion (serialized, compressed, and pushed to a newly created public GitHub repository under attackers’ control). Exfiltrated repositories carry the description “Hades — The End for the Damned.”\n\nResearchers noted that a core component of this campaign is its ability to propagate and move laterally across networks. It exploits the very methods meant to protect systems, including Secure Shell (SSH) and Secure Copy Protocol (SCP), OpenID Connect (OIDC),and Supply-chain Levels for Software Artifacts (SLSA).\n\nFor instance, when running inside a GitHub Actions workflow runner, the malware checks for OIDC variables, then bypasses registry signature policies and generates cryptographically signed SLSA provenance bundles via Sigstore. It can then fetch target libraries and inject the obfuscated script and JavaScript payload. From there, it can publish compromised versions to the Python Package Index (PyPI) repository and node package manager (npm) using the target’s credentials and the generated Sigstore bundle.\n\n“This ensures that the published package appears to have valid, cryptographically verified build provenance from the organization’s official GitHub Actions build environment,” the researchers explained.\n\nFurther, if a harvested GitHub token has write permissions, the malware will target repositories to extract secrets using GitHub Actions runners. This occurs “directly from the runner’s address space without ever writing them to disk or making a suspicious network connection,” the researchers noted.\n\nThe malware also targets rule files and configuration directories for 14 different AI agents and systems, planting custom prompt instructions or executing hooks that trigger a *bun run bootstrap* command when the victim loads or consults the workspace with their AI assistant. Finally, it establishes persistence on the workstation and monitors for the presence of the stolen token; if that token is revoked, it executes a wiper process to erase the user’s files.", "url": "https://wpnews.pro/news/meet-hades-the-malware-that-lies-to-ai-security-agents", "canonical_source": "https://www.infoworld.com/article/4182692/meet-hades-the-malware-that-lies-to-ai-security-agents.html", "published_at": "2026-06-09 05:05:47+00:00", "updated_at": "2026-06-12 09:56:50.510699+00:00", "lang": "en", "topics": ["ai-safety", "large-language-models", "ai-agents", "artificial-intelligence"], "entities": ["David Shipley", "Beauceron Security", "Hades Campaign", "StepSecurity", "ensmallen", "Bun"], "alternates": {"html": "https://wpnews.pro/news/meet-hades-the-malware-that-lies-to-ai-security-agents", "markdown": "https://wpnews.pro/news/meet-hades-the-malware-that-lies-to-ai-security-agents.md", "text": "https://wpnews.pro/news/meet-hades-the-malware-that-lies-to-ai-security-agents.txt", "jsonld": "https://wpnews.pro/news/meet-hades-the-malware-that-lies-to-ai-security-agents.jsonld"}}