The Hades campaign is a cross-registry supply chain attack targeting PyPI, npm, and RubyGems via the leaked Miasma toolkit. Attackers deploy malicious wheel artifacts and setup.pth files to exfiltrate CI/CD credentials and environment variables. The campaign utilizes an "AI Safety-Evasion Paradox," injecting terminology related to biological and nuclear weaponry into the codebase. This triggers safety guardrails in AI-based security scanners, forcing the models to terminate analysis to avoid policy violations, thereby creating a blind spot that allows the malicious payload to bypass detection. Impact includes 19 poisoned PyPI packages and approximately 304 affected software components across 73 GitHub repositories.
-
Campaign Overview & Scope
- Cross-ecosystem targeting: Simultaneous attacks across PyPI, npm, and RubyGems registries.
- Distribution scale: 19 PyPI packages were poisoned using 37 malicious wheel artifacts.
- Infrastructure impact: Medium-confidence data indicates 304 affected software components and 73 Microsoft GitHub repositories.
-
Technical Execution & Deployment
- Framework utilization: Weaponization of the leaked Miasma toolkit for payload orchestration.
- Execution vectors: Use of
*-setup.pthfiles to trigger automatic execution during package installation. - Delivery method: Deployment of malicious
.whl(wheel) artifacts to bypass standard source-code reviews.
-
The AI Safety-Evasion Paradox
- Adversarial injection: Intentional insertion of "forbidden" content regarding nuclear and biological weapons.
- Guardrail triggering: AI scanners identify the forbidden text and trigger safety failsafes.
- Evasion result: The AI ceases analysis to comply with safety policies, leaving the actual malicious payload undetected.
-
Objectives & Exfiltration Targets
- Credential theft: Primary focus on exfiltrating secrets stored in environment variables.
- Pipeline compromise: Targeting GitHub Actions workflows and CI/CD configuration files.
- Asset acquisition: Theft of deployment tokens and sensitive infrastructure credentials.
-
Defensive Actions & Mitigation
- Dependency management: Implementation of strict version pinning and checksum verification for all registry artifacts.
- Secret hygiene: Restricting environment variable access within CI/CD pipelines to the minimum necessary scope.
- AI Tooling updates: Transitioning to security scanners that can isolate adversarial "safety prompts" without aborting full payload analysis.
Related posts
- Unit 42 Threat Intelligence — The npm Threat Landscape: Attack Surface and Mitigations (Updated May 1)
- Threatlocker
- Panther
- Brside
- Strongestlayer
- Cofense
- Stepsecurity
- feeds.feedburner.com — Hades PyPI Attack: 19 Packages Poisoned to Auto-Run Bun Credential Stealer
- Thehackernews
- techjacksolutions.com — Open Source Package Registries / GitHub / CI/CD — Vulnerability Rollup (2026-06-11)
- tomshardware.com — New malware campaign tricks AI scanners with fake nuclear weapon prompts — malicious code triggers safety failsafes so scanners skip the payload
- Fugumt
- Getaibook
- Infoworld
- Cybersecuritydive
- Cltc
- Reuters
- Iafrica
- Trmlabs
- Fortinet
- Boozallen
- Techradar
- techjacksolutions.com — Mistral AI / AI Supply Chain (Shai-Hulud Campaign) — Vulnerability Rollup (2026-05-15)
- arXiv (Computer Science - Cryptography and Security) — Scalable Malware Family Classification Using Quantum Kernel Based Machine Learning
- Fidelity
- Markets
- Darktrace
- Infosecurity-magazine
- Briefglance
- arXiv (Computer Science - Cryptography and Security) — PYPILINE: Malicious PyPI Package Detection via Suspicious API Knowledge and Agent Workflow
- Papers
- feeds.feedburner.com — Microsoft Details Windows Clipper Malware Campaign Using USB LNK Worm and Tor-Based C2
- bleepingcomputer.com — USB worm spreads crypto-stealing malware via Windows shortcut files
- Cybersecurityintelligence
- Pwc
- Uscsinstitute
- Jdsupra
- Pymnts
- Cybelangel
- Blog
- Security Affairs — Tor-Based Clipper Malware Targets Wallet Seed Phrases
- techjacksolutions.com — Shai-Hulud Wave 3: Forged Provenance, P2P Exfiltration, and IDE Backdoors Mark a New Threshold in npm Supply Chain Attacks
- Stepsecurity
- Flare
- Fortiguard
- techjacksolutions.com — Shai-Hulud Worm Chains GitHub Actions Weaknesses to Compromise 520M npm/PyPI Downloads with Valid SLSA Provenance
- Centripetal