Bottom line: Hades is a supply-chain malware that infects Python packages with specialized prompt-injection logic to compromise both automated LLM scanners and systems with memory access.
A new malware strain called Hades infiltrates Python development environments and leverages prompt-injection attacks to outsmart AI-driven code analysis. The campaign combines memory scraping, self-replicating worm mechanics, and targeted deception of LLM security scanners.
The Hades campaign discovered by StepSecurity represents a highly targeted supply-chain compromise that infects Python development environments and executes immediately upon importing the infected packages. It exploits the popular Bun toolkit to silently execute multi-stage payloads capable of extracting sensitive data, migrating laterally across compromised systems, exploiting commonly used security frameworks, and attacking AI-driven analysis systems through adversarial prompt injection.
StepSecurity classifies Hades as the latest evolution of the Miasma threat actor. The campaign has infiltrated several popular open-source packages, including the C++ library ensmallen as well as packages in the computational biology, bioinformatics, and genotype-phenotype analysis spaces (mflux-streamlit, nhmpy, ppkt2synergy, embiggen, gpsea, pyphetools). The entry point is a simple obfuscated script in the package’s __init__.py file. Once successful access is gained, the attackers drop a pre-compiled Bun runtime binary and execute their JavaScript payload. Bun enables the malware to execute complex JavaScript tasks in environments without Node.js installation, bypassing traditional package manager controls and proxy protocols.
The malware can read Linux memory mappings and introduces customized memory scrapers for macOS and Windows, enabling attackers to extract sensitive encrypted data. Particularly noteworthy is its ability to evade automated LLM scanners: by means of a text block at the beginning of the file, the model is instructed to ignore the hidden code, mark the package as verified, and generate reports declaring it as safe.
According to StepSecurity researchers, this element represents a “significant conceptual shift”: attackers are now writing payloads that target the cognitive logic of AI systems. Scanners that pass raw text to LLMs without strict boundary isolation can be induced to generate false negatives and classify malware packages as clean. David Shipley of Beauceron Security regards this development as a harbinger of future attack patterns: the combination of memory-focused techniques, hidden LLM deception, and wiper capabilities in a rapidly spreading worm variant corresponds to a qualitatively new attack scenario for which there are currently no reliable defensive mechanisms.
Source: www.csoonline.com · Published 9 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.5.