{"id":8422,"date":"2026-06-09T05:10:14","date_gmt":"2026-06-09T05:10:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8422"},"modified":"2026-06-09T05:10:14","modified_gmt":"2026-06-09T05:10:14","slug":"meet-hades-the-malware-that-lies-to-ai-security-agents","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8422","title":{"rendered":"Meet Hades: The malware that lies to AI security agents"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself.<\/p>\n

The newly-discovered Hades Campaign is a \u201chighly sophisticated\u201d supply chain compromise<\/a> that targets Python developer environments and runs as soon as infected packages are imported. It uses the popular Bun toolkit to silently execute multi-layer payloads that can extract sensitive data, move laterally across compromised systems, exploit common security frameworks, and even hijack AI gatekeeper analyzer systems via adversarial prompt injection.<\/p>\n

Notably, the campaign exploited the popular C++ library ensmallen<\/em>, as well as packages in the computational biology, bioinformatics, and genotype-phenotype analysis ecosystems.<\/p>\n

The most novel thing about this malware is its combination of advanced tactics, noted David Shipley<\/a> of Beauceron Security. He noted that we\u2019ve seen memory-focused malware, we\u2019ve seen attacks that attempt to defuse large language model (LLM) powered analysis with hidden prompts, and we\u2019ve seen malware with wiper capabilities.<\/p>\n

\u201cBut all three, in a fast moving mass propagating worm, is its own kind of nightmare,\u201d he said. \u201cAnd I suspect this is the way of the future.\u201d<\/p>\n

How Hades works<\/h2>\n

The Hades Campaign<\/a> was discovered by researchers at StepSecurity, who called it the latest evolution of the Miasma threat actor. The researchers previously described Miasma attacks that had sent self-replicating worms to perform multi-cloud credential sweeps, caused infected repositories to execute code when folders were accessed in integrated development environments (IDEs) or by AI agents, and used techniques that scanned and read Linux process memory.<\/p>\n

Hades uses the same credential harvesting methods, self-replicating worm logic, and GitHub-based exfiltration patterns, the researchers noted. In addition to ensmallen<\/em>, compromised packages include mflux-streamlit<\/em>, nhmpy<\/em>, ppkt2synergy<\/em>, embiggen<\/em>, gpsea<\/em>, and pyphetools<\/em>.<\/p>\n

The campaign\u2019s entry point is a simple, obfuscated script embedded inside a Python package\u2019s __init__.py <\/em>file, a critical building block that gives Python the ability to recognize packages and import modules. Once they gain access, threat actors drop a precompiled Bun runtime binary and executes its JavaScript payload. Bun allows the malware to run complex JavaScript tasks in environments lacking a Node.js installation, bypassing traditional package manager controls and proxy logs.<\/p>\n

The malware is able to scrape Linux memory mappings, and also introduces tailored macOS and Windows memory scrapers, which allow threat actors to extract sensitive, encrypted data.<\/p>\n

Interestingly, attackers are also able to evade detection by automated LLMs that scan for suspicious code. This is achieved with a simple block of text at the top of the file; this instructs the model to ignore the hidden code below, classify the package as verified and clean, and provide reports stating it is safe.<\/p>\n

This element represents what the StepSecurity researchers described as a \u201csignificant conceptual shift,\u201d with attackers writing payloads that target AI systems\u2019 cognitive logic. \u201cScanners that pass raw text to LLMs without strict boundary isolation can be coerced into generating false negative verdicts, allowing the malicious package to bypass organization analysis,\u201d they wrote.<\/p>\n

The tactic is indeed clever, Beauceron\u2019s Shipley agreed, pointing out that attackers will increasingly target endpoint LLM-powered agents.<\/p>\n

Why? \u201cBecause there\u2019s no reliable defense,\u201d he said. \u201cLLMs are incredibly susceptible to social engineering.\u201d This has been relabeled as prompt engineering, but is essentially just phishing for bots, he pointed out.<\/p>\n

\u201cWhile everyone\u2019s worried about LLM-powered vulnerability discovery and automated exploitation, it\u2019s LLM-created smart malware<\/a> like this, and AI-powered phishing of humans and bots, that keeps me awake at night,\u201d Shipley said.<\/p>\n

Hades\u2019 crafty worm propagation<\/h2>\n

The Hades Campaign command and control (C2) infrastructure uses three independent channels on public GitHub infrastructure to allow its communications to blend in with normal traffic. Stolen credentials<\/a> are encrypted locally in a hybrid fashion (serialized, compressed, and pushed to a newly created public GitHub repository under attackers\u2019 control). Exfiltrated repositories carry the description \u201cHades \u2014 The End for the Damned.\u201d<\/p>\n

Researchers noted that a core component of this campaign is its ability to propagate and move laterally across networks. It exploits the very methods meant to protect systems, including Secure Shell (SSH) and Secure Copy Protocol (SCP), OpenID Connect (OIDC),and Supply-chain Levels for Software Artifacts (SLSA).<\/p>\n

For instance, when running inside a GitHub Actions workflow runner, the malware checks for OIDC variables, then bypasses registry signature policies and generates cryptographically signed SLSA provenance bundles via Sigstore. It can then fetch target libraries and inject the obfuscated script and JavaScript payload. From there, it can publish compromised versions to the Python Package Index (PyPI) repository and node package manager (npm) using the target\u2019s credentials and the generated Sigstore bundle.<\/p>\n

\u201cThis ensures that the published package appears to have valid, cryptographically verified build provenance from the organization\u2019s official GitHub Actions build environment,\u201d the researchers explained.<\/p>\n

Further, if a harvested GitHub token has write permissions, the malware will target repositories to extract secrets using GitHub Actions runners. This occurs \u201cdirectly from the runner\u2019s address space without ever writing them to disk or making a suspicious network connection,\u201d the researchers noted.<\/p>\n

The malware also targets rule files and configuration directories for 14 different AI agents and systems, planting custom prompt instructions or executing hooks that trigger a bun run bootstrap<\/em> command when the victim loads or consults the workspace with their AI assistant. Finally, it establishes persistence on the workstation and monitors for the presence of the stolen token; if that token is revoked, it executes a wiper process to erase the user\u2019s files.<\/p>\n

This article originally appeared on InfoWorld<\/a>.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself. The newly-discovered Hades Campaign is a \u201chighly sophisticated\u201d supply chain compromise that targets Python developer environments and runs as soon as infected packages are imported. It uses the popular Bun toolkit to silently execute multi-layer payloads that can […]<\/p>\n","protected":false},"author":0,"featured_media":8423,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8422","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8422"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8422"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8422\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8423"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}