Meet Hades: The malware that lies to AI security agents | InfoWorld

Search

Menu

Topics

Close

Analytics<br>Artificial Intelligence<br>Careers<br>Cloud Computing<br>Data Management<br>Databases<br>Development Tools<br>Devops<br>Emerging Technology<br>Enterprise Buyer’s Guides<br>Generative AI<br>IT Leadership<br>Java<br>JavaScript<br>Microsoft .NET<br>Open Source<br>Programming Languages<br>Python<br>Security<br>Software Development<br>Technology Industry

by Taryn Plumb

Meet Hades: The malware that lies to AI security agents

news

Jun 9, 20265 mins

Researchers have uncovered a supply-chain attack that hides in Python packages, propagates like a worm, and tricks LLM-based code analysis systems into overlooking malicious payloads.

Credit: Maria Vonotna/Shutterstock

Threat actors are continuing their onslaught against software supply chains, now with malware named after death itself.

The newly-discovered Hades Campaign is a &ldquo;highly sophisticated&rdquo; supply chain compromise that targets Python developer environments and runs as soon as infected packages are imported. It uses the popular Bun toolkit to silently execute multi-layer payloads that can extract sensitive data, move laterally across compromised systems, exploit common security frameworks, and even hijack AI gatekeeper analyzer systems via adversarial prompt injection.

Notably, the campaign exploited the popular C++ library ensmallen, as well as packages in the computational biology, bioinformatics, and genotype-phenotype analysis ecosystems.

The most novel thing about this malware is its combination of advanced tactics, noted David Shipley of Beauceron Security. He noted that we&rsquo;ve seen memory-focused malware, we&rsquo;ve seen attacks that attempt to defuse large language model (LLM) powered analysis with hidden prompts, and we&rsquo;ve seen malware with wiper capabilities.

&ldquo;But all three, in a fast moving mass propagating worm, is its own kind of nightmare,&rdquo; he said. &ldquo;And I suspect this is the way of the future.&rdquo;

How Hades works

The Hades Campaign was discovered by researchers at StepSecurity, who called it the latest evolution of the Miasma threat actor. The researchers previously described Miasma attacks that had sent self-replicating worms to perform multi-cloud credential sweeps, caused infected repositories to execute code when folders were accessed in integrated development environments (IDEs) or by AI agents, and used techniques that scanned and read Linux process memory.

Hades uses the same credential harvesting methods, self-replicating worm logic, and GitHub-based exfiltration patterns, the researchers noted. In addition to ensmallen, compromised packages include mflux-streamlit, nhmpy, ppkt2synergy, embiggen, gpsea, and pyphetools.

The campaign&rsquo;s entry point is a simple, obfuscated script embedded inside a Python package&rsquo;s __init__.py file, a critical building block that gives Python the ability to recognize packages and import modules. Once they gain access, threat actors drop a precompiled Bun runtime binary and executes its JavaScript payload. Bun allows the malware to run complex JavaScript tasks in environments lacking a Node.js installation, bypassing traditional package manager controls and proxy logs.

The malware is able to scrape Linux memory mappings, and also introduces tailored macOS and Windows memory scrapers, which allow threat actors to extract sensitive, encrypted data.

Interestingly, attackers are also able to evade detection by automated LLMs that scan for suspicious code. This is achieved with a simple block of text at the top of the file; this instructs the model to ignore the hidden code below, classify the package as verified and clean, and provide reports stating it is safe.

This element represents what the StepSecurity researchers described as a &ldquo;significant conceptual shift,&rdquo; with attackers writing payloads that target AI systems&rsquo; cognitive logic. &ldquo;Scanners that pass raw text to LLMs without strict boundary isolation can be coerced into generating false negative verdicts, allowing the malicious package to bypass organization analysis,&rdquo; they wrote.

The tactic is indeed clever, Beauceron&rsquo;s Shipley agreed, pointing out that attackers will increasingly target endpoint LLM-powered agents.

Why? &ldquo;Because there&rsquo;s no reliable defense,&rdquo; he said. &ldquo;LLMs are incredibly susceptible to social engineering.&rdquo; This has been relabeled as prompt engineering, but is essentially just phishing for bots, he pointed out.

&ldquo;While everyone&rsquo;s worried about LLM-powered vulnerability discovery and automated exploitation, it&rsquo;s LLM-created smart malware like this, and AI-powered phishing of humans and bots, that keeps me awake at night,&rdquo; Shipley said.

Hades&rsquo; crafty worm propagation

The Hades Campaign command and control (C2) infrastructure uses three independent channels on public GitHub infrastructure to allow its communications to...